Fortinet has recently addressed an actively exploited zero-day authentication bypass vulnerability in its FortiOS and FortiProxy products. This flaw, categorized as critical and identified as CVE-2024-55591, allowed threat actors to gain super-administrative access to devices, enabling them to carry out malicious activities such as breaching corporate networks. The vulnerability was described by Fortinet as an “authentication bypass using an alternate path or channel vulnerability” that could be leveraged by remote attackers to attain super-admin privileges through crafted requests to the Node.js websocket module, as detailed in a security advisory from FortiGuard Labs.
According to Fortinet, malicious actors have been taking advantage of this flaw to execute various harmful operations. These activities included creating administrator accounts with random usernames, generating local user accounts with random names, forming user groups or adding local users to existing SSL VPN user groups, modifying settings like firewall policy and firewall addresses, and establishing tunnels to internal networks via SSL VPN logins.
Fortinet advised customers using affected products to follow the recommended upgrade path outlined on its website to address the vulnerability effectively. Additionally, the company provided workaround options in its advisory to help mitigate the risk posed by the flaw.
The initial signs of exploitation of the Fortinet zero-day vulnerability emerged when researchers at Arctic Wolf disclosed that a zero-day flaw was likely responsible for a series of attacks on FortiGate firewall devices with publicly exposed management interfaces. Attackers were observed targeting these devices to create unauthorized administrative logins, make configuration changes, create new accounts, and conduct SSL VPN authentication without proper authorization.
Further analysis conducted by watchTowr Labs shed light on the specifics of the vulnerability. The flaw was identified within the jsconsole functionality, a feature that allows the execution of command line interface commands through FortiOS’s management interface. Exploiting this weakness enabled attackers to add new administrative accounts, potentially compromising the entire appliance if they gained access to the Web console.
Researchers identified a sequence of steps that attackers could follow to achieve super administrative access through the vulnerability. These steps involved creating a WebSocket connection from a pre-authenticated HTTP request, utilizing a special parameter to skip session checks, exploiting a race condition in the WebSocket Telnet CLI, and selecting the access profile desired, such as becoming a super administrator.
To protect against the CVE-2024-55591 vulnerability, organizations using affected Fortinet devices are urged to update their systems following the recommended upgrade path or implement workarounds provided by Fortinet. It was noted that having unique and complex usernames for admin accounts could offer an additional layer of protection against the exploitation of the flaw. However, since the targeted WebSocket is not an authentication point itself, there remains a risk of brute-force attacks to compromise usernames and exploit the vulnerability.
Given the prevalence of threats targeting Fortinet devices, it is essential for organizations to stay vigilant, apply necessary security measures, and promptly address vulnerabilities to safeguard their networks and sensitive information.