Full Report
In late November and December 2024, Arctic Wolf observed evidence of a mass compromise of Fortinet FortiGate. While the initial attack vector was unknown at the time, evidence of compromise (with new users and SSL profiles) was consistent across compromised devices.
Analysis Summary
# Vulnerability: Fortinet FortiOS/FortiProxy Zero Day (CVE-2024-55591)
## CVE Details
- CVE ID: CVE-2024-55591
- CVSS Score: N/A (Score not provided in the source text)
- CWE: N/A
## Affected Systems
- Products: Fortinet FortiOS, FortiProxy
- Versions:
- FortiOS: 7.0.0 through 7.0.16
- FortiProxy: 7.0.0 through 7.0.19
- FortiProxy: 7.2.0 through 7.2.12
- Configurations: Implied vulnerability via management interface access.
## Vulnerability Description
The provided text identifies CVE-2024-55591 as a Zero Day affecting Fortinet FortiOS and FortiProxy devices. Specific technical details regarding the nature of the flaw (e.g., buffer overflow, injection) are not detailed in this excerpt, only its existence and the affected versions.
## Exploitation
- Status: Implied active threat as it is referred to as a "Zero Day," but explicit status ("Exploited in the wild") is not confirmed in the summary provided.
- Complexity: Not specified.
- Attack Vector: Not explicitly defined, but mitigations suggest potential network exposure of the management port.
## Impact
- Confidentiality: Not specified.
- Integrity: Not specified.
- Availability: Not specified.
## Remediation
### Patches
The source recommends upgrading to the following versions immediately:
- FortiOS: Upgrade to **7.0.16 or above** (for vulnerable versions 7.0.0 through 7.0.16)
- FortiProxy: Upgrade to **7.0.20 or above** (for vulnerable versions 7.0.0 through 7.0.19)
- FortiProxy: Upgrade to **7.2.13 or above** (for vulnerable versions 7.2.0 through 7.2.12)
Fortinet has instructions for upgrade available via their website (FG-IR-24-535).
### Workarounds
If immediate patching is impossible:
1. **Shut down the management port** if it is exposed to the Internet.
2. If management access is required, use **Access Control Lists (ACLs)** to limit which IP addresses can access the port. This can be configured using the `"my_allowed_addresses"` setting on the Fortinet device.
3. Monitor all connections to the device.
4. Ensure audit logging for the device is enabled.
## Detection
- **IoCs:** Analyze logs for the following IP addresses, noting they are under attacker control and could vary: `1.1.1.1`, `127.0.0.1`, `2.2.2.2`, `8.8.8.8`, `8.8.4.4`.
- **Detection methods and tools:** Analyze logs for anomalous SSL profiles, which may indicate compromise. Investigation often requires Digital Forensics and Incident Response (DFIR) services if compromise is suspected.
## References
- Vendor advisories: Fortinet advisory link referenced as `fortiguard.fortinet.com/psirt/FG-IR-24-535` (defanged)
- Relevant links - defanged:
- `fortiguard.fortinet.com/psirt/FG-IR-24-535`