Fortinet Warns of Auth Bypass Zero-day Exploited to Hijack Firewalls

Fortinet Warns of Auth Bypass Zero-day Exploited to Hijack Firewalls

Attackers are exploiting a new authentication bypass zero-day vulnerability in FortiOS and FortiProxy to hijack Fortinet firewalls and breach enterprise networks.

This security flaw (tracked as CVE-2024-55591) impacts FortiOS 7.0.0 through 7.0.16, FortiProxy 7.0.0 through 7.0.19, and FortiProxy 7.2.0 through 7.2.12. Successful exploitation allows remote attackers to gain super-admin privileges by making malicious requests to the Node.js websocket module.

Fortinet says attackers exploiting the zero-day in the wild are creating randomly generated admin or local users on compromised devices and are adding them to existing SSL VPN user groups or to new ones they also add. They've also been observed adding or changing firewall policies and other settings and logging in to SSLVPN using previously created rogue accounts "to get a tunnel to the internal network."

Affected Systems

IoC’s

Following login activity log with random scrip and dstip: type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1733486785" user="admin" ui="jsconsole" method="jsconsole" srcip=1.1.1.1 dstip=1.1.1.1 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from jsconsole"

Following admin creation log with seemingly randomly generated user name and source IP: type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="jsconsole(127.0.0.1)" action="Add" cfgtid=1411317760 cfgpath="system.admin" cfgobj="vOcep" cfgattr="password[*]accprofile[super_admin]vdom[root]" msg="Add system.admin vOcep"

Additionally, the Threat Actor (TA)has been seen using the following IP addresses:
45.55.158.47 [most used IP address]
87.249.138.47
155.133.4.175
37.19.196.65
149.22.94.37

Workaround

• Disable HTTP/HTTPS administrative interface.
• Limit IP addresses that can reach the administrative interface via local-in policies.

Mitigations

-

CVE / CWE

CVE-2024-55591

Related Website(s)

• https://www.fortiguard.com/psirt/FG-IR-24-535
• https://nvd.nist.gov/vuln/detail/CVE-2024-55591

* Vulnerabilities with a CVSS 3.1 score between 7.0 and 8.9 are evaluated to be “high” whereas vulnerabilities with a CVSS 3.1 score between 9.0 and 10.0 are evaluated to be “critical”.