Skip to main content
HashnodeFPT IS SecurityFPT IS Security

Command Palette

Search for a command to run...

CVE-2024-55591: A new Zero-Day vulnerability is being exploited in FORTINET products

A newly discovered zero-day vulnerability allows hackers to gain super-admin access, create VPN accounts, and infiltrate corporate networks.

Updated
3 min read
CVE-2024-55591: A new Zero-Day vulnerability is being exploited in FORTINET products
N
Nguyễn Văn Trung
Part of seriesNewsletters-eng

FPT Threat Intelligence has reported information about unauthorized logins to the firewall management interface, creation of new accounts, SSL VPN authentication through those accounts, and various configuration changes. This malicious activity is believed to have started at the end of 2024, with unidentified attackers gaining unauthorized access to the management interface of affected firewalls to change configurations and extract credentials using the DCSync technique.

Details

  • CVE ID: CVE-2024-55591

  • CVSS Score: 9.6 (Critical)

  • Vendor: Fortinet

  • Affected Products: FortiOS and FortiProxy

  • Publication Date: 14/01/2025

  • Description: An Authentication Bypass vulnerability (CWE-288) in FortiOS and FortiProxy allows remote attackers to gain super-admin privileges through specially crafted requests to the device's Node.js websocket module.

Affected Versions

  • FortiOS: From version 7.0.0 to 7.0.16

  • FortiProxy: From version 7.0.0 to 7.0.19

  • FortiProxy: From version 7.2.0 to 7.2.12

Technical Attack Details

Attack Vector

  • Exploiting the management interface exposed to the internet

  • Using the jsconsole interface from unusual IP addresses

  • Sending specially crafted requests to the Node.js websocket module

Attack Stages

  1. Reconnaissance Stage:

    During this stage, attackers scan for vulnerabilities and change the configuration output from "standard" to "more." They log into the firewall management interface to adjust settings, including switching data export settings from "standard" to "more," before making more extensive changes to create new super admin accounts.

  2. Intrusion Stage:

    Up to six new local user accounts are created for each device. These new super admin accounts are then used to set up additional local user accounts and add them to groups that the victim organization had previously created for SSL VPN access. In other cases, existing accounts are taken over and added to VPN access groups.

  3. Access Expansion Stage:

    • Add accounts to existing SSL VPN groups.

    • Create new SSL VPN portals.

    • Set up VPN tunnels from VPS hosting providers.

  4. Information Gathering Stage:

    • Use the DCSync technique to extract login credentials.

    • Perform lateral movement within the network to exploit further.

The CVE-2024-55591 vulnerability has been actively exploited recently, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply patches by January 21, 2025.

Recommendations

FPT Threat Intelligence suggests the following measures to prevent this dangerous vulnerability:

Key Action: Update to the latest Fortinet version

  • FortiOS: Upgrade to version 7.0.17 or higher

  • FortiProxy 7.0.x: Upgrade to version 7.0.20 or higher

  • FortiProxy 7.2.x: Upgrade to version 7.2.13 or higher

Temporary Mitigation Measures

  • Disabling the HTTP/HTTPS management interface is the most direct and effective way to prevent unauthorized access to the management interface.

  • Limit the IP addresses allowed to access. Follow these steps:

Step 1: Configure the list of IP addresses allowed to access

shellCopyEditconfig firewall address
edit "my_allowed_addresses"
set subnet <địa_chỉ_IP hoặc mạng con được phép>
next
end

Step 2: Create an address group for the management IPs

shellCopyEditconfig firewall addrgrp
edit "MGMT_IPs"
set member "my_allowed_addresses"
next
end

Step 3: Create a local-in policy to restrict access to the management interface (e.g., on port1)

shellCopyEditconfig firewall local-in-policy
edit 1
set intf port1
set srcaddr "MGMT_IPs"
set dstaddr "all"
set action accept
set service HTTPS HTTP
set schedule "always"
set status enable
next

edit 2
set intf "all"
set srcaddr "all"
set dstaddr "all"
set action deny
set service HTTPS HTTP
set schedule "always"
set status enable
next
end

Additional Recommendations

  1. Check logs for signs of intrusion.

  2. Change all credentials after updating.

  3. Review VPN configurations and user accounts.

  4. Implement active monitoring for suspicious activities.

References

#repost

Comments

Join the discussion

No comments yet. Be the first to comment.

Newsletters-eng

Part 1 of 50

More from this blog

F

FPT IS Security

761 posts

Dedicated to providing insightful articles on cybersecurity threat intelligence, aimed at empowering individuals and organizations to navigate the digital landscape safely.