Overview
Fortinet, a global leader in cybersecurity solutions, recently released a critical advisory addressing a significant vulnerability (CVE-2024-55591) in its FortiOS and FortiProxy products. This flaw, which has a CVSSv3 score of 9.6, is categorized as a critical authentication bypass vulnerability and is currently being exploited in the wild.
Attackers leveraging this vulnerability can potentially gain super-admin privileges by exploiting weaknesses in the Node.js WebSocket module, making this a high-stakes issue for organizations relying on Fortinet’s products.
This blog provides a detailed overview of the vulnerability, affected versions, Indicators of Compromise (IOCs), mitigation strategies, and steps for administrators to protect their systems effectively.
The Vulnerability Explained
The CVE-2024-55591 vulnerability stems from an “Authentication Bypass Using an Alternate Path or Channel” issue (CWE-288). An attacker can craft malicious requests to the Node.js WebSocket module, bypass authentication, and gain unauthorized super-admin access. Once exploited, the attacker can perform a wide range of malicious activities, including:
- Creating administrative or local user accounts.
- Modifying firewall policies, addresses, or system settings.
- Establishing Secure Sockets Layer Virtual Private Network (SSL VPN) tunnels to access internal networks.
Affected Products and Versions
The vulnerability impacts the following versions of FortiOS and FortiProxy products:
FortiOS
- Versions 7.0.0 through 7.0.16 are affected.
- Versions 7.6, 7.4, and 6.4 are not affected.
FortiProxy
- Versions 7.0.0 through 7.0.19.
- Versions 7.2.0 through 7.2.12.
- Versions 7.6 and 7.4 are not affected.
Solution:
- Upgrade FortiOS to version 7.0.17 or later.
- Upgrade FortiProxy to versions 7.0.20 or 7.2.13 or later.
How Attackers Exploit the Vulnerability
Attackers exploit this vulnerability by sending malicious WebSocket requests to bypass authentication controls. They can target administrative accounts by guessing or brute-forcing usernames. Once access is gained, they perform the following malicious actions:
- Create random user accounts such as “Gujhmk” or “M4ix9f”.
- Add these accounts to administrative or VPN groups.
- Use SSL VPN connections to infiltrate the internal network.
Indicators of Compromise (IOCs)
Fortinet has shared some key IOCs that organizations should monitor to identify potential attacks.
Log Entries
Look for the following types of suspicious log entries in your system:
- Successful Admin Logins:
type=”event” subtype=”system” level=”information” logdesc=”Admin login successful”
user=”admin” ui=”jsconsole” srcip=1.1.1.1 dstip=1.1.1.1 action=”login” status=”success”
msg=”Administrator admin logged in successfully from jsconsole”
- Unauthorized Configuration Changes:
type=”event” subtype=”system” level=”information” logdesc=”Object attribute configured”
user=”admin” ui=”jsconsole(127.0.0.1)” action=”Add”
msg=”Add system.admin vOcep”
Suspicious IP Addresses
Attackers have been observed using the following IP addresses to launch attacks:
- 45.55.158.47 (most commonly used)
- 87.249.138.47
- 155.133.4.175
- 37.19.196.65
- 149.22.94.37
It’s important to note that these IP addresses are not fixed sources of attack traffic; they are often spoofed and may not represent the actual origin.
Recommended Actions
1. Update Immediately
If your organization is using affected versions of FortiOS or FortiProxy, the most effective solution is to upgrade to the latest secure versions. Fortinet has provided tools to assist with upgrading, which can be found on their official site.
2. Mitigations for Immediate Protection
If an upgrade cannot be performed immediately, consider implementing the following mitigations:
- Disable HTTP/HTTPS Administrative Interfaces: This reduces the exposure of management interfaces to the internet.
- Restrict Access with Local-In Policies:
Limit access to the administrative interface by allowing only trusted Ips - Use Non-Standard Admin Usernames: To make brute-force attacks more difficult, avoid predictable or default usernames for administrative accounts.
Exploitation in the Wild
Reports indicate active exploitation of this vulnerability. Threat actors have been observed creating random administrative or local user accounts, such as:
- Gujhmk
- Ed8x4k
- Alg7c4
These accounts are often added to SSL VPN user groups to establish tunnels into internal networks, making it critical to monitor for unauthorized account creation.
Best Practices for Enhanced Security
- Enable Logging and Monitoring:
Continuously monitor system logs for any unauthorized administrative activity, suspicious configuration changes, or unexpected VPN connections. - Conduct Regular Vulnerability Scans:
Perform routine scans to identify and patch other vulnerabilities within your network infrastructure. - Adopt a Zero Trust Approach:
Limit user privileges to the minimum required and enforce strict access controls, especially for administrative tasks. - Educate Your Team:
Ensure that your IT and security teams are aware of this vulnerability and trained to respond to potential threats. - Implement Multi-Factor Authentication (MFA):
Although this vulnerability bypasses traditional authentication, MFA adds an additional layer of security that can mitigate other attack vectors.
Conclusion
The CVE-2024-55591 vulnerability emphasizes the critical need for organizations to stay ahead of emerging threats. With attackers actively exploiting this flaw to gain super-admin access, the risks to your infrastructure and data cannot be overstated. Organizations using FortiOS and FortiProxy must act immediately. Patching systems and implementing mitigations isn’t optional; it’s imperative.
It’s not just about reacting to vulnerabilities—it’s about adopting a proactive and layered approach to cybersecurity. Leveraging tools like multi-factor authentication, real-time log monitoring, and Zero-Trust architectures can significantly reduce the risk of exploitation.
The broader lesson here is clear: vulnerabilities are inevitable, but breaches don’t have to be. By staying informed, investing in advanced threat detection systems, and fostering a security-first mindset within your organization, you can not only address immediate threats but also build resilience against future ones.
As cyber threats grow more advanced, are you prepared to meet them head-on? Strengthening your defenses today will determine your security tomorrow.
Let this be a reminder to continuously innovate and adapt in the face of an ever-changing threat landscape.
Your next step could define the safety of your organization.
