CVE-2024-55591 could allow an unauthenticated remote attacker to gain super-admin privileges

Threat ID:CC-4604

Threat Severity:High

Published:14 January 2025 4:58 PM

Summary

Affected platforms

The following platforms are known to be affected:

Fortinet FortiOS

7.0.0 to 7.0.16

Fortinet FortiProxy

7.0.0 to 7.0.19

7.2.0 to 7.2.12

Threat details

Exploitation of CVE-2024-55591 in the wild

Fortinet has advised CVE-2024-55591 has been observed being exploited in the wild.

Fortinet products are often internet-facing and have been frequently targeted by attackers within days of disclosure. The NHS England National CSOC assesses further exploitation as highly likely.

Introduction

Fortinet has released a security advisory to address a critical vulnerability in FortiOS and FortiProxy. FortiOS is the operating system for Fortinet products, including Fortinet SSLVPNs and 'Next-Gen' Firewalls (NGFW). and FortiProxy is a secure web gateway that includes advanced filtering and inspection.

CVE-2024-55591 is an 'authentication bypass' vulnerability with a CVSSv3 score of 9.6. A remote, unauthenticated attacker could send crafted requests to the Node.js websocket module to gain super-admin privileges.

Recommended compromise assessment

In addition to the mandatory security update, NHS England National CSOC highly recommends organisations perform a compromise assessment using the indicators of compromise (IoCs) provided in Fortinet's advisory. If malicious activity is found, organisations must contact the National CSOC as a matter of urgency on 0300 303 5222 or by emailing cybersecurity@nhs.net.

Remediation advice

Affected organisations must review Fortinet PSIRT Advisory FG-IR-24-535 and apply the relevant security updates as soon as practicable.

Additionally, organisations are strongly encouraged to perform a compromise assessment by hunting for the indicators of compromise detailed below.

Remediation steps


Patch	Organisations must apply the relevant security updates. FortiOS resolved versions: 7.0.17 or above FortiProxy resolved versions: 7.0.20 or above 7.2.13 or above https://www.fortiguard.com/psirt/FG-IR-24-535
Action	Organisations are strongly encouraged to hunt for the indicators of compromise provided by Fortinet. These are detailed below in the 'Indicators of compromise' section. If malicious activity is found, organisations must contact the NHS England National CSOC as a matter of urgency on 0300 303 5222 or by emailing cybersecurity@nhs.net. For full details please see the Fortinet advisory: https://www.fortiguard.com/psirt/FG-IR-24-535
Guidance	Temporary Workaround 1 Disable HTTP/HTTPS administrative interface. https://www.fortiguard.com/psirt/FG-IR-24-535
Guidance	Temporary Workaround 2 Limit IP addresses that can reach the administrative interface via local-in policies: config firewall address edit "my_allowed_addresses" set subnet end Then create an Address Group: config firewall addrgrp edit "MGMT_IPs" set member "my_allowed_addresses" end Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1): config firewall local-in-policy edit 1 set intf port1 set srcaddr "MGMT_IPs" set dstaddr "all" set action accept set service HTTPS HTTP set schedule "always" set status enable next edit 2 set intf "all" set srcaddr "all" set dstaddr "all" set action deny set service HTTPS HTTP set schedule "always" set status enable end If using non default ports, create appropriate service object for GUI administrative access: config firewall service custom edit GUI_HTTPS set tcp-portrange 443 next edit GUI_HTTP set tcp-portrange 80 end Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 below. Note: the trusthost feature achieves the same as the local-in policies above only if all GUI users are configured with it. Therefore, the local-in policies above are the preferred workaround. https://www.fortiguard.com/psirt/FG-IR-24-535

Indicators of compromise

- Log entries and operations performed by attackers

Fortinet has provided the following log entries as potential indicators of compromise:

type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1733486785" user="admin" ui="jsconsole" method="jsconsole" srcip=1.1.1.1 dstip=1.1.1.1 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from jsconsole"

type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="jsconsole(127.0.0.1)" action="Add" cfgtid=1411317760 cfgpath="system.admin" cfgobj="vOcep" cfgattr="password[*]accprofile[super_admin]vdom[root]" msg="Add system.admin vOcep"

Note: Fortinet has advised that sn and cfgtid are not relevant to the attack.

Additional operations performed by attackers include:

Creating an admin account on the device with random user name (details below)

Creating a Local user account on the device with random user name (details below)

Creating a user group or adding the above Local user to an existing sslvpn user group

Adding/changing other settings (firewall policy, firewall address, etc.)

Logging in the sslvpn with the above added local users to get a tunnel to the internal network.

- Spoofed IP Addresses

The attacker has been observed spoofing the source and destination IP address in the jsconsole sessions, and these IP addresses are not typical for jsconsole activity. As these IP addresses are spoofed, please only hunt for these in the context of jsconsole sessions.
1.1.1.1
127.0.0.1
2.2.2.2
8.8.8.8
8.8.4.4

Note: The above IP parameters are under attacker control and therefore can be any other IP address.

- IP Addresses

The attacker has been seen using the following IP addresses:

45.55.158.47 (most common)
87.249.138.47
155.133.4.175
37.19.196.65
149.22.94.37

- Attacker-generated Admin or Local user accounts

The attacker has been observed generating 6 character alpha-numeric Admin and Local user accounts. Some examples are:
Gujhmk
Ed8x4k
G0xgey
Pvnw81

Definitive source of threat updates

https://www.fortiguard.com/psirt/FG-IR-24-535

CVE Vulnerabilities

StatusPublished

CVE-2024-55591An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.

Last edited: 14 January 2025 4:58 pm