Skip to main content

Active Exploitation of Zero-Day Vulnerability CVE-2024-55591 in FortiOS and FortiProxy

CVE-2024-55591 could allow an unauthenticated remote attacker to gain super-admin privileges

Threat ID:
CC-4604
Threat Severity:
High
Published:
14 January 2025 4:58 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

CVE-2024-55591 could allow an unauthenticated remote attacker to gain super-admin privileges

Affected platforms

The following platforms are known to be affected:

Fortinet FortiOS

  • 7.0.0 to 7.0.16

Fortinet FortiProxy

  • 7.0.0 to 7.0.19
  • 7.2.0 to 7.2.12

Threat details

Exploitation of CVE-2024-55591 in the wild

Fortinet has advised CVE-2024-55591 has been observed being exploited in the wild.

Fortinet products are often internet-facing and have been frequently targeted by attackers within days of disclosure. The NHS England National CSOC assesses further exploitation as highly likely. 

Introduction

Fortinet has released a security advisory to address a critical vulnerability in FortiOS and FortiProxy. FortiOS is the operating system for Fortinet products, including Fortinet SSLVPNs and 'Next-Gen' Firewalls (NGFW). and FortiProxy is a secure web gateway that includes advanced filtering and inspection.

CVE-2024-55591 is an 'authentication bypass' vulnerability with a CVSSv3 score of 9.6. A remote, unauthenticated attacker could send crafted requests to the Node.js websocket module to gain super-admin privileges

Recommended compromise assessment

In addition to the mandatory security update, NHS England National CSOC highly recommends organisations perform a compromise assessment using the indicators of compromise (IoCs) provided in Fortinet's advisory. If malicious activity is found, organisations must contact the National CSOC as a matter of urgency on 0300 303 5222 or by emailing [email protected].

Remediation advice

Affected organisations must review Fortinet PSIRT Advisory FG-IR-24-535 and apply the relevant security updates as soon as practicable.

Additionally, organisations are strongly encouraged to perform a compromise assessment by hunting for the indicators of compromise detailed below. 

Remediation steps

Type Step
Patch

Organisations must apply the relevant security updates.

FortiOS resolved versions:

  • 7.0.17 or above

FortiProxy resolved versions:

  • 7.0.20 or above
  • 7.2.13 or above

https://www.fortiguard.com/psirt/FG-IR-24-535
Action

Organisations are strongly encouraged to hunt for the indicators of compromise provided by Fortinet. These are detailed below in the 'Indicators of compromise' section.

If malicious activity is found, organisations must contact the NHS England National CSOC as a matter of urgency on 0300 303 5222 or by emailing [email protected].

For full details please see the Fortinet advisory:


https://www.fortiguard.com/psirt/FG-IR-24-535
Guidance

Temporary Workaround 1

Disable HTTP/HTTPS administrative interface.


https://www.fortiguard.com/psirt/FG-IR-24-535
Guidance

Temporary Workaround 2

Limit IP addresses that can reach the administrative interface via local-in policies:

  • config firewall address
  • edit "my_allowed_addresses"
  • set subnet
  • end

Then create an Address Group:

  • config firewall addrgrp
  • edit "MGMT_IPs"
  • set member "my_allowed_addresses"
  • end

Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):

  • config firewall local-in-policy
  • edit 1
  • set intf port1
  • set srcaddr "MGMT_IPs"
  • set dstaddr "all"
  • set action accept
  • set service HTTPS HTTP
  • set schedule "always"
  • set status enable
  • next
  • edit 2
  • set intf "all"
  • set srcaddr "all"
  • set dstaddr "all"
  • set action deny
  • set service HTTPS HTTP
  • set schedule "always"
  • set status enable
  • end

 

If using non default ports, create appropriate service object for GUI administrative access:

  • config firewall service custom
  • edit GUI_HTTPS
  • set tcp-portrange 443
  • next
  • edit GUI_HTTP
  • set tcp-portrange 80
  • end

Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 below.

Note: the trusthost feature achieves the same as the local-in policies above only if all GUI users are configured with it. Therefore, the local-in policies above are the preferred workaround.


https://www.fortiguard.com/psirt/FG-IR-24-535

Indicators of compromise

Log entries and operations performed by attackers

Fortinet has provided the following log entries as potential indicators of compromise:

  • type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1733486785" user="admin" ui="jsconsole" method="jsconsole" srcip=1.1.1.1 dstip=1.1.1.1 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from jsconsole"
  • type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="jsconsole(127.0.0.1)" action="Add" cfgtid=1411317760 cfgpath="system.admin" cfgobj="vOcep" cfgattr="password[*]accprofile[super_admin]vdom[root]" msg="Add system.admin vOcep"

Note: Fortinet has advised that sn and cfgtid are not relevant to the attack.


Additional operations performed by attackers include:

  • Creating an admin account on the device with random user name (details below)
  • Creating a Local user account on the device with random user name (details below)
  • Creating a user group or adding the above Local user to an existing sslvpn user group
  • Adding/changing other settings (firewall policy, firewall address, etc.)
  • Logging in the sslvpn with the above added local users to get a tunnel to the internal network.
Spoofed IP Addresses

The attacker has been observed spoofing the source and destination IP address in the jsconsole sessions, and these IP addresses are not typical for jsconsole activity. As these IP addresses are spoofed, please only hunt for these in the context of jsconsole sessions.
1.1.1.1
127.0.0.1
2.2.2.2
8.8.8.8
8.8.4.4

Note: The above IP parameters are under attacker control and therefore can be any other IP address.

IP Addresses

The attacker has been seen using the following IP addresses:

45.55.158.47 (most common)
87.249.138.47
155.133.4.175
37.19.196.65
149.22.94.37

Attacker-generated Admin or Local user accounts

The attacker has been observed generating 6 character alpha-numeric Admin and Local user accounts. Some examples are:
Gujhmk
Ed8x4k
G0xgey
Pvnw81

Definitive source of threat updates

Last edited: 14 January 2025 4:58 pm