Fortinet’s Authentication Bypass Zero-Day: Mitigation Strategies and IoCs for Enhanced Security

Fortinet’s Authentication Bypass Zero-Day: Mitigation Strategies and IoCs for Enhanced Security

/in

Cyble Fortinet’s Authentication Bypass Zero-Day: Mitigation Strategies and IoCs for Enhanced Security

Overview

Fortinet has disclosed a critical authentication bypass vulnerability affecting FortiOS and FortiProxy systems, identified as CVE-2024-55591. With a CVSS score of 9.6, this vulnerability allows unauthenticated attackers to execute unauthorized code or commands, granting them “super-admin” privileges.

The exploitation of this vulnerability has already been observed “in the wild,” stressing the urgency for affected organizations to act immediately.

Key Details

Vulnerability Summary

CVE-2024-55591 arises from a flaw in the Node.js websocket module, specifically within FortiOS and FortiProxy, where an alternate path or channel can bypass authentication mechanisms (CWE-288). This allows remote attackers to gain administrative access and compromise device configurations.

Affected Products

The vulnerability impacts specific versions of FortiOS and FortiProxy:

  • FortiOS 7.0: Versions 7.0.0 through 7.0.16

  • FortiProxy 7.0: Versions 7.0.0 through 7.0.19

  • FortiProxy 7.2: Versions 7.2.0 through 7.2.12

Unpatched systems are vulnerable to unauthorized access and subsequent exploitation.

Indicators of Compromise (IoCs)

Organizations are advised to monitor for the following IoCs to detect potential compromise:

Log Entries

  • Admin Login Events

  • Log Message: Successful login from the “jsconsole” interface with “super-admin” privileges.

  • Example: type=”event” subtype=”system” level=”information” vd=”root” logdesc=”Admin login successful” sn=”1733486785″ user=”admin” ui=”jsconsole” method=”jsconsole” srcip=1.1.1.1 dstip=1.1.1.1 action=”login” status=”success” reason=”none” profile=”super_admin” msg=”Administrator admin logged in successfully from jsconsole”

  • Admin Account Creation

  • Log Message: Creation of admin accounts with random usernames from suspicious IPs.

  • Example: type=”event” subtype=”system” level=”information” vd=”root” logdesc=”Object attribute configured” user=”admin” ui=”jsconsole(127.0.0.1)” action=”Add” cfgtid=1411317760 cfgpath=”system.admin” cfgobj=”vOcep” cfgattr=”password[*]accprofile[super_admin]vdom[root]” msg=”Add system.admin vOcep”

Common IP Addresses Usernames Used by Threat Actors

  • Frequent IPs:
    • 1.1.1.1

    • 2.2.2.2

    • 8.8.8.8

    • 45.55.158.47 [most used IP address]

    • 87.249.138.47

  • Admin/Usernames Created by Threat Actors:
    Randomly generated usernames have been observed, such as:
    • Gujhmk

    • Ed8x4k

    • G0xgey

    • Pvnw81

    • Alg7c4

    • Ypda8a

    • Kmi8p4

    • 1a2n6t

    • 8ah1t6

    • M4ix9f

Threat Actor Activity

Post-exploitation, attackers typically perform the following actions:

  1. Create admin accounts with elevated privileges.

  2. Add local users to existing SSL VPN user groups.

  3. Alter firewall policies to enable unauthorized network access.

  4. Use compromised SSL VPN accounts to establish tunnels into internal networks.

These actions allow lateral movement within the network, further compromising critical assets.

Mitigation Recommendations

Patch Management

Upgrade to Secure Versions:

  • FortiOS: Upgrade to 7.0.17 or higher.

  • FortiProxy: Upgrade to 7.0.20 or higher.
    Use Fortinet’s Upgrade Tool for guidance.

Access Control

  1. Disable HTTP/HTTPS Administrative Interfaces:
    Prevent unauthorized access by disabling external administrative interfaces.

  2. Restrict Access with Local-In Policies:
    Limit administrative access to trusted IP addresses using local-in policies.
    • Configure firewall address and groups for allowed IPs.

    • Apply local-in policies to restrict management interface access.

Monitoring and Detection

  1. Audit Logs:
    Continuously monitor system logs for anomalous login activities, suspicious IP addresses, and unauthorized account creations.

  2. Threat Intelligence Integration:
    Leverage threat intelligence feeds to stay updated on IoCs and adversarial tactics.

Incident Response

  1. Immediate Actions on Compromise:
    • Remove unauthorized accounts and reset passwords for all administrative and local users.

    • Revert unauthorized firewall and VPN configuration changes.

    • Isolate compromised devices from the network and conduct forensic analysis.

  2. Strengthen VPN Security:
    • Change SSL VPN ports to non-default values.

    • Implement multi-factor authentication (MFA) for all VPN users.

Workarounds

If patching is not immediately feasible, the following steps can temporarily mitigate risks:

  1. Restrict Administrative Access:
    Use local-in policies to limit management interface access to trusted IPs.

  2. Modify SSL VPN Ports:
    Configure custom ports for SSL VPN and HTTPS interfaces to avoid default port exploitation.

  3. Enable Trusthost Feature:
    Apply the trusthost feature to restrict access only to predefined IP ranges.

Conclusion

Organizations leveraging Fortinet solutions must act promptly to secure their infrastructure against CVE-2024-55591exploitation, leveraging patches, access restrictions, and continuous monitoring to detect and mitigate potential attacks. Proactively implementing these measures not only reduces the attack surface but also strengthens overall network security against advanced threat actors.

References:

https://www.fortiguard.com/psirt/FG-IR-24-535

https://docs.fortinet.com/upgrade-tool

The post Fortinet’s Authentication Bypass Zero-Day: Mitigation Strategies and IoCs for Enhanced Security appeared first on Cyble.

Blog – Cyble – ​Read More