2025-1-16 02:47:21 Author: securityboulevard.com(查看原文) 阅读量:1 收藏
Overview
Recently, NSFOCUS CERT detected that Fortinet has issued a security notification and fixed the identity authentication bypass vulnerability in FortiOS and FortiProxy (CVE-2024-55591). Unauthenticated attackers can bypass system identity authentication by sending special packets to the Node.js websocket module, thus obtaining super administrator permissions of the target system. The CVSS score is 9.8. At present, it has been found to be used in the wild. Please take measures for protection as soon as possible.
Reference link: https://fortiguard.fortinet.com/psirt/FG-IR-24-535
Scope of Impact
Affected version
- 7.0.0 <= FortiOS <= 7.0.16
- 7.0.0 <= FortiProxy <= 7.0.19
- 7.2.0 <= FortiProxy <= 7.2.12
Unaffected Version
- FortiOS >= 7.0.17
- FortiProxy >= 7.0.20
- FortiProxy >= 7.2.13
Attack Screening
Users can conduct self-examination according to the officially released IoC to check whether their own systems are under attack.
1. Check that the following log entries are present in the system:
| type=”event” subtype=”system” level=”information” vd=”root” logdesc=”Admin login successful” sn=”1733486785″ user=”admin” ui=”jsconsole” method=”jsconsole” srcip=1.1.1.1 dstip=1.1.1.1 action=”login” status=”success” reason=”none” profile=”super_admin” msg=”Administrator admin logged in successfully from jsconsole” |
| type=”event” subtype=”system” level=”information” vd=”root” logdesc=”Object attribute configured” user=”admin” ui=”jsconsole(127.0.0.1)” action=”Add” cfgtid=1411317760 cfgpath=”system.admin” cfgobj=”vOcep” cfgattr=”password[*]accprofile[super_admin]vdom[root]” msg=”Add system.admin vOcep” |
2. Check the system for any of the following abnormal operations recently:
(1) Create an administrator account on the device using a random user name
(2) Create a local user account on the device using a random user name
(3) Create a user group or add the above local users to the existing sslvpn user group.
(4) Add/change other settings (such as firewall policy, firewall address, etc.)
(5) Use the local user added above to log in to sslvpn to obtain the tunnel to the internal network.
3. Check whether the FortiGate is connected to the following suspicious IP address:
- 45.55.158.47
- 87.249.138.47
- 155.133.4.175
- 37.19.196.65
- 149.22.94.37
Mitigation
Official upgrade
At present, a new version has been officially released to fix this vulnerability. Please upgrade the affected version for protection as soon as possible. Download link: https://docs.fortinet.com/upgrade-tool/fortigate
Temporary measures
If relevant users cannot upgrade temporarily, the following measures can be taken for temporary relief:
Disable the HTTP/HTTPS management interface or use local policy to restrict access for temporary mitigation without affecting services.
Official Reference: https://fortiguard.fortinet.com/psirt/FG-IR-24-535
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, a pioneering leader in cybersecurity, is dedicated to safeguarding telecommunications, Internet service providers, hosting providers, and enterprises from sophisticated cyberattacks.
Founded in 2000, NSFOCUS operates globally with over 4000 employees at two headquarters in Beijing, China, and Santa Clara, CA, USA, and over 50 offices worldwide. It has a proven track record of protecting over 25% of the Fortune Global 500 companies, including four of the five largest banks and six of the world’s top ten telecommunications companies.
Leveraging technical prowess and innovation, NSFOCUS delivers a comprehensive suite of security solutions, including the Intelligent Security Operations Platform (ISOP) for modern SOC, DDoS Protection, Continuous Threat Exposure Management (CTEM) Service and Web Application and API Protection (WAAP). All the solutions and services are augmented by the Security Large Language Model (SecLLM), ML, patented algorithms and other cutting-edge research achievements developed by NSFOCUS.
The post Fortinet OS & FortiProxy Authentication Bypass Vulnerability (CVE-2024-55591) Notification appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..
*** This is a Security Bloggers Network syndicated blog from NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. authored by NSFOCUS. Read the original post at: https://nsfocusglobal.com/fortinet-os-fortiproxy-authentication-bypass-vulnerability-cve-2024-55591-notification/
如有侵权请联系:admin#unsafe.sh