Full Report
The security provider published mitigation measures to prevent exploitation
Analysis Summary
# Vulnerability: Critical Authentication Bypass in FortiGate Firewalls (CVE-2024-55591)
## CVE Details
- CVE ID: CVE-2024-55591
- CVSS Score: 9.6 (Critical)
- CWE: Alternate Path or Channel or Authentication Bypass
## Affected Systems
- Products: FortiOS (FortiGate Firewalls) and FortiProxy
- Versions:
- FortiOS: 7.0.0 through 7.0.16
- FortiProxy: 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12
- Configurations: Affects devices with exposed management interfaces (HTTP/HTTPS).
## Vulnerability Description
CVE-2024-55591 is a critical authentication bypass vulnerability affecting the Node.js web socket module within FortiOS and FortiProxy. A remote attacker can exploit this flaw by sending crafted requests to bypass authentication mechanisms and potentially gain super-admin privileges on the affected firewall devices.
## Exploitation
- Status: **Exploited in the wild** (Observed in active exploitation campaigns since December 2024, leading to configuration alteration and credential extraction via DCSync).
- Complexity: Assessed as highly relevant given observed mass exploitation.
- Attack Vector: Network (Requires administrative interface exposure to the internet).
## Impact
- Confidentiality: High (Potential for credential extraction and sensitive information disclosure)
- Integrity: High (Potential for unauthorized configuration changes, including persistence mechanisms)
- Availability: Medium to High (If super-admin access allows disruption of services)
## Remediation
### Patches
Users should upgrade to the following versions or later:
- FortiOS 7.0: Upgrade to **7.0.17 or above**
- FortiProxy 7.0: Upgrade to **7.0.20 or above**
- FortiProxy 7.2: Upgrade to **7.2.13 or above**
### Workarounds
If immediate patching is not possible, restrict access to the management interface:
1. **Disable HTTP/HTTPS administrative interfaces entirely.**
2. **Limit IP addresses** that can reach the administrative interface using local-in policies:
a. Define allowed addresses/address groups (`MGMT_IPs`).
b. Create a local-in policy to `ACCEPT` HTTPS/HTTP traffic only from the allowed group on the management interface (e.g., `port1`).
c. Create a subsequent local-in policy to `DENY` HTTPS/HTTP traffic from `all` sources on the management interface to block unauthorized access.
d. Ensure custom service objects are created if non-default ports are used for administrative access.
## Detection
- Indicators of Compromise (IoC): Evidence of unauthorized changes to firewall configurations, especially those related to user accounts or network policies, occurring shortly after the observed exploitation timeline. Reports mention threat actors using extracted credentials for lateral movement (e.g., via DCSync).
- Detection Methods and Tools: Monitor firewall logs for unusual activity targeting web socket modules or authentication attempts from unexpected external sources leading to high-privilege sessions. Review FortiGate configuration history for unauthorized modifications.
## References
- Vendor Advisory: hxxps://www.fortiguard.com/psirt/FG-IR-24-535
- Related Report: hxxps://arcticwolf.com/resources/blog/console-chaos-targets-fortinet-fortigate-firewalls/