Fortinet fixes FortiOS zero-day exploited by attackers for months (CVE-2024-55591)
Fortinet has patched an authentication bypass vulnerability (CVE-2024-55591) affecting its FortiOS firewalls and FortiProxy web gateways that has been exploited as a zero-day by attackers to compromise publicly-exposed FortiGate firewalls.
While Fortinet acknowledged in-the-wild exploitation in the accompanying security advisory, they did share any attack-related information except indicators of compromise (IoCs): IP addresses, log entries, created users, and a list of operations performed by the threat actor.
Some of those IoCs overlap with those shared by Arctic Wolf researchers last Friday, when they detailed an attack campaign that started in mid-November and “involved unauthorized administrative logins on management interfaces of firewalls, creation of new accounts, SSL VPN authentication through those accounts, and various other configuration changes.”
Their theory was that the attackers were leveraging a zero-day vulnerability for these attacks, and it seems they were right.
About CVE-2024-55591
CVE-2024-55591 is an authentication bypass (via alternate path or channel) vulnerability that allows remote attackers to gain super-admin privileges via crafted requests to Node.js websocket module, thus allowing them to execute unauthorized code or commands.
The critical vulnerability affects FortiOS version 7.0.0 through 7.0.16, and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12. It can be exploited without any user interaction.
Enterprise admins have been advised to upgrade to a fixed version – FortiOS 7.0.17 or above, FortiProxy 7.2.13 or above or 7.0.20 or above – and check for known indicators of compromise. Workarounds are available if updating the appliance is not immediately possible (e.g., orgs can remove the firewall’s web-based management interface from the public internet).
The attack campaign
“This campaign was identified early because external monitoring was in place for unexpected firewall configuration changes,” Arctic Wolf researchers shared.
The campaign unfolded in four distinct phases, which involved:
- Automated vulnerability scanning (+ zero-day exploitation + numerous successful admin login events) – from November 16, 2024 to November 23, 2024
- Reconnaissance (+ configuration changes, the purpose of which is still unknown) – from November 22, 2024 to November 27, 2024
- Creation of new super admin and local user accounts or hijacking of existing accounts + adding of those accounts to existing groups for SSL VPN access + creating new SSL VPN portals + establishing SSL VPN tunnels with the affected devices – from December 4, 2024 to December 7, 2024
- Extracting credentials for lateral movement – from December 16, 2024 to December 27, 2024.
“Our portrayal of these phases may be incomplete or oversimplified given that our visibility is likely limited to a narrow subset of the overall activity in the campaign,” Arctic Wolf researchers noted.
Also, what would have happen after the last phase is currently unknown, as “the threat actors were removed from affected environments before they could proceed any further.”
What to do?
FortiOS zero-day and n-day vulnerabilities are state-sponsored hackers’ preferred way into corporate networks.
This campaign, though, doesn’t seem to be targeting specific organization according to size or economic sector, but opportunistically hitting those with FortiGate devices with internet-facing web-based management interfaces.
“Management interfaces should not be exposed on the public internet, regardless of the product specifics. Instead, access to management interfaces should be limited to trusted internal users,” the threat analysts pointed out.
They also advised organizations to monitor for jsconsole activity from commonly spoofed IP addresses and web management traffic on the WAN interface over 1MB originating from VPS hosting IP addresses.
“Given that malicious SSL VPN logins were known to take place with client IP addresses originating from VPS hosting providers, monitoring for unexpected logins from such providers would also potentially be worth exploring,” they added.
They say that they have notified Fortinet about the observed attacks on December 12, 2024, and that FortiGuard Labs PSIRT responded on December 17, 2024, and said “that the activity was known and under investigation.”
UPDATE (January 14, 2025, 03:00 p.m. ET):
“We have been proactively communicating with customers to provide guidance regarding CVE-2024-55591 (FG-IR-24-535), including solutions and workarounds to help them mitigate their risk,” a Fortinet spokesperson told Help Net Security.
“There are instances where confidential advance customer communications can include early guidance regarding an advisory to enable customers to further strengthen their security posture in advance of a scheduled public Advisory. We continue to coordinate with government agencies and industry threat research organizations as part of our ongoing response and continue to recommend our customers follow the guidance outlined in the advisory, exercise timely patching practices, and continue monitoring their networks for unusual activity to help mitigate cyber risk. We continue to urge our customers to refer to the advisory and follow the guidance provided for CVE-2024- 55591.”