Advisory ID: ngCERT-2025-010006
SUMMARY
ngCERT has observed the emergence of a critical Fortinet OS & FortiProxy Authentication Bypass Vulnerability tagged (CVE-2024-55591). This flaw allows attackers to execute remote code on affected systems, which can result in full system compromise. Exploiting this flaw can lead to data breaches, privilege escalation, and service disruption. Reportedly, the weakness is identified with a CVSSv3 score of 9.6, with records of active exploitation in the wild. In this regard, users are strongly advised to apply the available patches provided by Fortinet, while emplacing necessary measures to safeguard their systems.
Probability: High
Damage: Critical
Platform(s): Fortinet OS
DESCRIPTION
CVE-2024-55591 vulnerability emanates from an “Authentication Bypass Using an Alternate Path or Channel” issue (CWE-288). It is a remote code execution (RCE) vulnerability that exists due to improper input validation in the Node.js websocket module of FortiOS and FortiProxy products. The vulnerability allows an unauthenticated attacker to send specially crafted input to the Node.js websocket module, triggering a stack-based buffer overflow. This overflow can be exploited to execute arbitrary code on the target device, with the potential for the attacker to gain super-admin privileges over the system. Threat actors could gain unauthorized access to firewall management interfaces, create new user accounts, use those accounts to bypass security (like logging in via SSL VPN) and other multiple modifications to the device configuration which helps attackers establish a path to the internal network. The vulnerability is particularly dangerous because it can be triggered remotely over the network without requiring prior authentication, making it a prime target for attackers seeking to gain unauthorized access to systems. This vulnerability impacts FortiOS versions 7.0.0 to 7.0.16, FortiProxy versions 7.0.0 to 7.0.19, and FortiProxy versions 7.2.0 to 7.2.12.
CONSEQUENCES
Falling prey to these attacks could potentially lead to:
1. System compromise.
2. Unauthorized access to sensitive data.
3. Data exfiltration.
4. Ransomware infiltration leading to potential financial loss.
5. Reputational damage.
6. Service Disruption leading to potential Denial of Service (DoS).
SOLUTION/MITIGATION
ngCERT recommends the following:
1. Ensure that all systems using the affected component are updated to the latest, secure versions. Fortinet has provided tools to assist with upgrading, which can be found on their official site. https://www.fortiguard.com/psirt/FG-IR-24-535
2. Implement network segmentation and firewalls to restrict access to critical systems from untrusted or external networks.
3. Adopt the Use of intrusion detection systems (IDS) and intrusion prevention systems (IPS) to monitor for abnormal traffic patterns or exploit attempts targeting this vulnerability.
4. Deploy Web Application Firewalls (WAFs) to detect and block any malicious payloads.
5. Implement network segmentation and firewalls to restrict access to critical systems from untrusted or external networks.
6. Ensure comprehensive monitoring to detect abnormal activities and possible indicators of compromise (IoCs) that could reveal attempted or successful attacks.
7. Implement system hardening by ensuring the principle of least privilege is in force, while enabling only necessary services and open ports are accessible.
8. Disable or restrict the use of vulnerable components or services that expose the system to external connections, where possible.
9. Educate staff/users about security best practices, such as recognizing phishing attempts that might lead to an attack on the network.
HYPERLINK
- https://www.fortiguard.com/psirt/FG-IR-24-535
- https://bolster.ai/blog/avoid-government-grant-scams
- https://madsecurity.com/madsecurity-blog/10-essential-tips-to-fortify-against-phishing-attacks
https://tnp.straitstimes.com/news/singapore/scam-website-masquerades-govt-support-scheme-portal