Executive Summary

On January 14th, Fortinet published an advisory about a critical authentication bypass vulnerability in their FortiOS and FortiProxy software, identified as CVE-2024-55591. This flaw allows unauthenticated attackers to gain super-admin privileges on vulnerable devices. FortiOS is widely used in various Fortinet products, including their next-generation firewalls (NGFW), which are typically internet-facing. Exploitation of this vulnerability via exposed internet firewall management interfaces could give threat actors access to networks and enable further internal compromises.

Fortinet has released security patches with along with their advisory, details can be found in the “Affected Systems and Products” section below. Fortinet also confirmed CVE-2024-55591 was being actively exploited in an ongoing campaign detailed in this article by cyber security firm Arctic Wolf. Details and IOCs from that campaign can be found in the “Indicators of Compromise” section of this advisory. At the time of this writing, there are no public proof-of-concept exploits available. However, Beazley Security is aware of active and ongoing exploitation of this issue and expects other financially motivated threat actors to develop more exploits in the coming days.

Beazley Security recommends organizations immediately apply patches for affected Fortinet devices and review affected systems for signs on compromise.

Affected Systems or Products

This vulnerability was found in FortiOS and FortiProxy, which affects several Fortinet products. See below for affected version information.

Mitigations / Workarounds

Beazley Security Labs strongly recommends upgrading affected Fortinet appliances to versions listed in the table above as “not affected”. If a device cannot be upgraded, there are workarounds to temporarily help mitigate the impact.

This vulnerability affects the HTTP/HTTPS administrative interfaces of Fortinet devices. Properly segmenting these interfaces to internal management networks will prevent exploitation by threat actors.

Beazley Security strongly recommends that organizations take the following steps regardless of applying recently released patches:

• 

  connect the administrative interface to a network segment that is not accessible from the internet

• 

  ideally, only allow network traffic from a dedicated management network to the administrative interface

• 

  apply patches to the device as soon as possible

More detailed, device specific local policy configurations and ACLs to accomplish this can be found in the “workaround” section of the FortiGuard advisory.

Patches

Fortinet has released patches and has provided an online upgrade tool to provide guidance on their recommended upgrade paths specific to each product model.

Indicators of Compromise

Fortinet included indicators of compromise within their Fortiguard advisory (FG-IR-24-535) that can be useful for threat hunting. It should be noted that most of these indicators were specific to the observed campaign and may change with exploit campaigns from different threat actors.

The following activity log was captured on exploitation, with an arbitrarily generated srcip and dstip value provided by the attacker as indicated in the <ip> fields. It should be noted ip addresses in those fields may not be legitimate ips, but are provided or spoofed parameters during the attack:

type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="<xxxxxxx>" user="admin" ui="jsconsole" method="jsconsole" srcip=<ip> dstip=<ip> action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from jsconsole"

Successful exploitation is followed by this admin creation log with what appears to be a randomly generated username:

type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="jsconsole(127.0.0.1)" action="Add" cfgtid=<xxxxxxxx> cfgpath="system.admin" cfgobj="vOcep" cfgattr="password[*]accprofile[super_admin]vdom[root]" msg="Add system.admin vOcep"

Post-exploit, the threat actors were observed performing the following actions:

• 

  Created admin account with random name

• 

  Created local user account with random name

• 

  Created a user group or added the above local user to an existing sslvpn user group

• 

  Modified settings

• 

  Logged into the sslvpn to access the internal network

Additionally, as of the time of this writing, threat actors have been seen using the following IP addresses to remotely access vulnerable devices:

• 

  45.55.158[.]47 [most used IP address]

• 

  87.249.138[.]47

• 

  155.133.4[.]175

• 

  37.19.196[.]65

• 

  149.22.94[.]37

Technical Details

While the Fortinet advisory provided limited technical details, specifying only that the vulnerability relates to an authentication bypass, cybersecurity firm Arctic Wolf identified indicators of attack associated with this vulnerability prior to Fortinet’s official advisory. They shared detailed information about the attack campaign on their blog.

The threat actors exploiting this vulnerability made heavy use of FortiOS’s web-based jsconsole utility. This utility enables device administrators to use a command line interface emulator embedded within the web-based management interface. It is likely that CVE-2024-55591 gives threat actors access to this jsconsole utility without having to authenticate on successful exploitation.

How Beazley Security is responding

Beazley Security is monitoring client perimeter devices through our Karma product to identify impacted devices and support organizations in remediation of any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

Sources

• 

  https://www.fortiguard.com/psirt/FG-IR-24-535

• 

  https://arcticwolf.com/resources/blog/cve-2024-55591/