Beschreibung:
Der Hersteller Fortigate warnte am 14. Jänner 2025 vor einer kritischen Sicherheitslücke(CVE-2024-55591), die in Ihren Produkten FortiOS und FortiProxy entdeckt wurde. Die Schwachstelle ermöglicht es, einem nicht authentifizierten Angreifer super-admin Berechtigungen auf den betroffenen Systemen über spezielle Anfragen an das Node.js Websocket Modul der Administrationsoberfläche zu erlangen.
Betroffene Systeme:
FortiOS 7.6 - Not affected
FortiOS 7.4 - Not affected
FortiOS 7.2 - Not affected
FortiOS 7.0 - 7.0.0 through 7.0.16 FortiOS 6.4 - Not affected
FortiProxy 7.6 - Not affected
FortiProxy 7.4 - Not affected
FortiProxy 7.2 - 7.2.0 through 7.2.12 FortiProxy 7.0 - 7.0.0 through 7.0.19 FortiProxy 2.0 - Not affected
Behobene Versionen:
FortiOS 7.6 - Not Applicable
FortiOS 7.4 - Not Applicable
FortiOS 7.2 - Not Applicable
FortiOS 7.0 - Upgrade to 7.0.17 or above FortiOS 6.4 - Not Applicable
FortiProxy 7.6 - Not Applicable
FortiProxy 7.4 - Not Applicable
FortiProxy 7.2 - Upgrade to 7.2.13 or above FortiProxy 7.0 - Upgrade to 7.0.20 or above FortiProxy 2.0 - Not Applicable
Empfohlene Maßnahmen:
Fortinet hat Updates veröffentlicht, die die Schwachstelle beheben. Betroffene Systeme sollten dringend auf die oben angeführten Versionen aktualisiert werden.
Einschätzung der Bedrohung:
Fortigate bestätigt in der Meldung, dass die Schwachstelle bereits aktiv ausgenutzt wird. Die Schwachstelle wurde auch von CISA zum Katalog der "Known exploited vulnerabilities" hinzugefügt, es liegen somit auch bestätigte Fälle der Ausnutzung vor.
Anhand dieser Faktoren schätzt ACP die Bedrohungslage als hoch ein und Updates sollten mit Priorität umgesetzt werden.
Indicators of Compromise
The following log entries are possible IOC's:
- Following login activity log with random scrip and dstip: type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1733486785" user="admin" ui="jsconsole" method="jsconsole" srcip=1.1.1.1 dstip=1.1.1.1 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from jsconsole"
- Following admin creation log with seemingly randomly generated user name and source IP: type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="jsconsole(127.0.0.1)" action="Add" cfgtid=1411317760 cfgpath="system.admin" cfgobj="vOcep" cfgattr="password[*]accprofile[super_admin]vdom[root]" msg="Add system.admin vOcep"
- The following IP addresses were mostly found used by attackers in above logs:
1.1.1.1
127.0.0.1
2.2.2.2
8.8.8.8
8.8.4.4
Please note that the above IP parameters are not the actual source IP addresses of the attack traffic, they are generated arbitrarily by the attacker as a parameter. Because of this they should not be used for any blocking.
Please note as well that sn and cfgtid are not relevant to the attack.
The operations performed by the Threat Actor (TA) in the cases we observed were part or all of the below:
- Creating an admin account on the device with random user name
- Creating a Local user account on the device with random user name
- Creating a user group or adding the above local user to an existing sslvpn user group
- Adding/changing other settings (firewall policy, firewall address, ...)
- Logging in the sslvpn with the above added local users to get a tunnel to the internal network.
Admin or Local user created by the TA is randomly generated. e.g:
Gujhmk
Ed8x4k
G0xgey
Pvnw81
Alg7c4
Ypda8a
Kmi8p4
1a2n6t
8ah1t6
M4ix9f
...etc...
Additionally, the TA has been seen using the following IP addresses:
45.55.158.47 [most used IP address]
87.249.138.47
155.133.4.175
37.19.196.65
149.22.94.37
Weiterführende Informationen:
https://www.fortiguard.com/psirt/FG-IR-24-535
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
