Photo credit: www.darkreading.com
Fortinet has announced a fix for a critical zero-day vulnerability in its FortiOS and FortiProxy products that has been actively exploited by malicious actors. This flaw allows attackers to achieve super-administrative access, raising significant security concerns for organizations utilizing these services.
Classified as critical and referred to as CVE-2024-55591 (CVSS score of 9.6), this vulnerability was described by Fortinet as an “authentication bypass using an alternate path or channel” that permits a remote attacker to obtain super-admin privileges through specially crafted requests sent to the Node.js WebSocket module, according to a recent security advisory from FortiGuard Labs.
Fortinet reported that threat actors engaged in various malicious operations leveraging this flaw. These included creating unauthorized administrative accounts, modifying existing user groups, altering firewall policies, and logging into the SSL VPN to penetrate internal networks.
The company has urged users of affected products to implement the recommended updates available on its website to safeguard against potential attacks. Additionally, workaround solutions have been provided in the advisory issued by Fortinet.
Initial Indicators of Exploit Activity
Concerns surfaced earlier this month when researchers from Arctic Wolf indicated that a zero-day vulnerability was likely responsible for a series of attacks against FortiGate firewall devices. These incidents targeted devices with management interfaces exposed to the public internet, facilitating unauthorized administrative logins and configuration alterations.
Fortinet had initially alerted its users about the issue prior to public disclosure of the patch. This low-profile approach allowed researchers from watchTowr Labs to piece together the situation, leading them to detail their findings regarding the flaw in a blog post published on January 27. Up until then, the specific nature of the vulnerability remained unclear.
Further investigations revealed that the vulnerability stemmed from the jsconsole functionality—a graphic interface feature enabling command line interface (CLI) command executions within FortiOS’s management interface. WatchTowr Labs noted, “The weakness in this functionality allowed attackers to add a new administrative account.”
The jsconsole is a WebSocket-based console to the CLI of the affected devices. The CLI commands executed through this console possess equivalent power to those employed by legitimate administrators to configure these devices. Therefore, if an attacker compromises this console, the entire system is considered at risk.
Researchers identified that the vulnerability involves multiple interrelated issues, forming a critical exploit pathway for attackers. These vulnerabilities permit a four-step process to gain super administrative access.
The steps include: establishing a WebSocket connection from a pre-authenticated HTTP request; utilizing a specific parameter known as local_access_token to bypass session checks; exploiting a race condition in the WebSocket Telnet CLI to initiate authentication before the server response; and choosing the desired access profile to acquire super administrator privileges.
Mitigation Strategies for CVE-2024-55591
Fortinet devices continue to attract the attention of cybercriminals, with weaknesses in these systems frequently being exploited to breach both the devices themselves and the broader corporate networks they safeguard.
Organizations affected by this latest vulnerability are strongly recommended to apply the suggested updates or utilize the workarounds provided by Fortinet to ensure their systems are secured.
Moreover, Fortinet has indicated that attackers would typically need knowledge of an admin account’s username to successfully execute the attack. Consequently, employing complex and unpredictable usernames for admin accounts can enhance security and is recognized as a best practice. However, the advisory warns that as the WebSocket involved does not function as an authentication checkpoint, it remains possible for attackers to brute-force the username to exploit the flaw.
Source
www.darkreading.com