CVE-2024-55591 being exploited in the wild: Critical authentication bypass in Node.js WebSocket module

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.

Tracked as CVE-2024-55591 it is an ‘authentication bypass’ vulnerability with a CVSSv3 score of 9.6, marking it as critical vulnerability. FortiOS is the operating system for Fortinet products, including Fortinet SSLVPNs and 'Next-Gen' Firewalls (NGFW). and FortiProxy is a secure web gateway that includes advanced filtering and inspection.

It should be taken into consideration that reports show this is being exploited in the wild.

Affected Versions

Version	Affected	Solution
FortiOS 7.6	Not affected	Not Applicable
FortiOS 7.4	Not affected	Not Applicable
FortiOS 7.2	Not affected	Not Applicable
FortiOS 7.0	7.0.0 through 7.0.16	Upgrade to 7.0.17 or above
FortiOS 6.4	Not affected	Not Applicable
FortiProxy 7.6	Not affected	Not Applicable
FortiProxy 7.4	Not affected	Not Applicable
FortiProxy 7.2	7.2.0 through 7.2.12	Upgrade to 7.2.13 or above
FortiProxy 7.0	7.0.0 through 7.0.19	Upgrade to 7.0.20 or above
FortiProxy 2.0	Not affected	Not Applicable

Recommendations

It is recommended that those with affected versions of FortiOS and FortiProxy upgrade immediately to the patched version by following the recommended upgrade path using the Fortinet Tool: https://docs.fortinet.com/upgrade-tool

Additionally, organisations are strongly encouraged to perform a compromise assessment by hunting for the indicators of compromise detailed in this advisory.

Workarounds

Temporary Workaround 1:

Disable HTTP/HTTPS administrative interface

Temporary Workaround 2:

Limit IP addresses that can reach the administrative interface via local-in policies:

config firewall address
edit "my_allowed_addresses"
set subnet
end

Then create an Address Group:

config firewall addrgrp
edit "MGMT_IPs"
set member "my_allowed_addresses"
end

Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):

config firewall local-in-policy
edit 1
set intf port1
set srcaddr "MGMT_IPs"
set dstaddr "all"
set action accept
set service HTTPS HTTP
set schedule "always"
set status enable
next

edit 2
set intf "all"
set srcaddr "all"
set dstaddr "all"
set action deny
set service HTTPS HTTP
set schedule "always"
set status enable
end

If using non default ports, create appropriate service object for GUI administrative access:

config firewall service custom
edit GUI_HTTPS
set tcp-portrange 443
next

edit GUI_HTTP
set tcp-portrange 80
end

Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 below.

Please note: that the trusthost feature achieves the same as the local-in policies above only if all GUI users are configured with it. Therefore, the local-in policies above are the preferred workaround.

Do contact Fortinet customer support for any assistance in regards to this.

Indicators of compromise

Log Entries and operations performed by attackers:

Fortinet has provided the following log entries as potential indicators of compromise:

type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1733486785" user="admin" ui="jsconsole" method="jsconsole" srcip=1.1.1.1 dstip=1.1.1.1 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from jsconsole"
type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="jsconsole(127.0.0.1)" action="Add" cfgtid=1411317760 cfgpath="system.admin" cfgobj="vOcep" cfgattr="password[*]accprofile[super_admin]vdom[root]" msg="Add system.admin vOcep"

Note: Fortinet has advised that sn and cfgtid are not relevant to the attack.

Additional operations performed by attackers include:

Creating an admin account on the device with random user name (details below)
Creating a Local user account on the device with random user name (details below)
Creating a user group or adding the above Local user to an existing sslvpn user group
Adding/changing other settings (firewall policy, firewall address, etc.)
Logging in the sslvpn with the above added local users to get a tunnel to the internal network.

Spoofed IP Addresses:

The attacker has been observed spoofing the source and destination IP address in the jsconsole sessions, and these IP addresses are not typical for jsconsole activity. As these IP addresses are spoofed, please only hunt for these in the context of jsconsole sessions.
1.1.1.1
127.0.0.1
2.2.2.2
8.8.8.8
8.8.4.4

Note: The above IP parameters are under attacker control and therefore can be any other IP address.

IP Addresses:

The attacker has been seen using the following IP addresses:

45.55.158.47 (most common)
87.249.138.47
155.133.4.175
37.19.196.65
149.22.94.37

Attacker-generated Admin or Local user accounts:

The attacker has been observed generating 6 character alpha-numeric Admin and Local user accounts. Some examples are:
Gujhmk
Ed8x4k
G0xgey
Pvnw8

Threat Updates

For more information and updates in regards to this vulnerability it is recommended to keep an eye on Fortinets official Product Security Incident Response Team page : https://fortiguard.fortinet.com/psirt/FG-IR-24-535

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.