{"uuid": "d7599ad9-5fd5-49e3-b7c5-3a17be39df54", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "name": "Fortinet - Authentication bypass in Node.js websocket module and CSF requests", "description": "PSIRT | FortiGuard Labs\n=======================\n\n### Summary\n\nAn\u00a0Authentication Bypass Using an Alternate Path or Channel vulnerability \\[CWE-288\\] affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to\u00a0Node.js websocket module or via crafted CSF proxy requests.\n\nPlease note that reports show this is being exploited in the wild.\n\nVersion\n\nAffected\n\nSolution\n\nFortiOS 7.6\n\nNot affected\n\nNot Applicable\n\nFortiOS 7.4\n\nNot affected\n\nNot Applicable\n\nFortiOS 7.2\n\nNot affected\n\nNot Applicable\n\nFortiOS 7.0\n\n7.0.0 through 7.0.16\n\nUpgrade to 7.0.17 or above\n\nFortiOS 6.4\n\nNot affected\n\nNot Applicable\n\nFortiProxy 7.6\n\nNot affected\n\nNot Applicable\n\nFortiProxy 7.4\n\nNot affected\n\nNot Applicable\n\nFortiProxy 7.2\n\n7.2.0 through 7.2.12\n\nUpgrade to 7.2.13 or above\n\nFortiProxy 7.0\n\n7.0.0 through 7.0.19\n\nUpgrade to 7.0.20 or above\n\nFortiProxy 2.0\n\nNot affected\n\nNot Applicable\n\nFollow the recommended upgrade path using our tool at: [https://docs.fortinet.com/upgrade-tool](https://docs.fortinet.com/upgrade-tool)\n\n### IoCs\n\nThe following log entries are possible IOC's:\n\n  \n\n  \n*   Following login activity log with random scrip and dstip:  \n    type=\"event\" subtype=\"system\" level=\"information\" vd=\"root\" logdesc=\"Admin login successful\" sn=\"1733486785\" user=\"admin\" ui=\"jsconsole\" method=\"jsconsole\" srcip=1.1.1.1 dstip=1.1.1.1 action=\"login\" status=\"success\" reason=\"none\" profile=\"super\\_admin\" msg=\"Administrator admin logged in successfully from jsconsole\"\n    \n      \n    \n*   Following admin creation log with seemingly randomly generated user name and source IP:  \n    type=\"event\" subtype=\"system\" level=\"information\" vd=\"root\" logdesc=\"Object attribute configured\" user=\"admin\" ui=\"jsconsole(127.0.0.1)\" action=\"Add\" cfgtid=1411317760 cfgpath=\"system.admin\" cfgobj=\"vOcep\" cfgattr=\"password\\[\\*\\]accprofile\\[super\\_admin\\]vdom\\[root\\]\" msg=\"Add system.admin vOcep\"\n    \n      \n    \n*   The following IP addresses were mostly found used by attackers in above logs:  \n    1.1.1.1  \n    127.0.0.1  \n    2.2.2.2  \n    8.8.8.8  \n    8.8.4.4\n    \n      \n    \n  \n\nPlease note that the above IP parameters are not the actual source IP addresses of the attack traffic, they are generated arbitrarily by the attacker as a parameter. Because of this they should not be used for any blocking.\n\nPlease note as well that sn and cfgtid are not relevant to the attack.\n\nThe operations performed by the Threat Actor (TA) in the cases we observed were part or all of the below:  \n\\- Creating an admin account on the device with random user name  \n\\- Creating a Local user account on the device with random user name  \n\\- Creating a user group or adding the above local user to an existing sslvpn user group  \n\\- Adding/changing other settings (firewall policy, firewall address, ...)  \n\\- Logging in the sslvpn with the above added local users to get a tunnel to the internal network.\n\nAdmin or Local user created by the TA is randomly generated. e.g:  \nGujhmk  \nEd8x4k  \nG0xgey  \nPvnw81  \nAlg7c4  \nYpda8a  \nKmi8p4  \n1a2n6t  \n8ah1t6  \nM4ix9f  \n...etc...\n\nAdditionally, the TA has been seen using the following IP addresses:\n\n45.55.158.47 \\[most used IP address\\]  \n87.249.138.47  \n155.133.4.175  \n37.19.196.65  \n149.22.94.37\n\n  \n\n### Workaround\n\nDisable HTTP/HTTPS administrative interface\n\nOR\n\nLimit IP addresses that can reach the administrative interface via local-in policies:\n\nconfig firewall address  \nedit \"my\\_allowed\\_addresses\"  \nset subnet  \nend\n\nThen create an Address Group:\n\nconfig firewall addrgrp  \nedit \"MGMT\\_IPs\"  \nset member \"my\\_allowed\\_addresses\"  \nend\n\nCreate the Local in Policy to restrict access only to the predefined group on management interface (here: port1):\n\nconfig firewall local-in-policy  \nedit 1  \nset intf port1  \nset srcaddr \"MGMT\\_IPs\"  \nset dstaddr \"all\"  \nset action accept  \nset service HTTPS HTTP  \nset schedule \"always\"  \nset status enable  \nnext\n\nedit 2  \nset intf \"any\"  \nset srcaddr \"all\"  \nset dstaddr \"all\"  \nset action deny  \nset service HTTPS HTTP  \nset schedule \"always\"  \nset status enable  \nend\n\nIf using non default ports, create appropriate service object for GUI administrative access:\n\nconfig firewall service custom  \nedit GUI\\_HTTPS  \nset tcp-portrange 443  \nnext\n\nedit GUI\\_HTTP  \nset tcp-portrange 80  \nend\n\nUse these objects instead of \"HTTPS HTTP \"in the local-in policy 1 and 2 below.\n\nPlease note that the trusthost feature achieves the same as the local-in policies above _only_ if all GUI users are configured with it. Therefore, the local-in policies above are the preferred workaround.\n\nPlease note as well that an attacker needs to know an admin account's username to perform the attack and log in the CLI. Therefore, having a non-standard and non-guessable username for admin accounts does offer some protection, and is, in general, a [best practice](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/81327170-6878-11ea-9384-00505692583a/FortiOS-6.4.0-Hardening_your_FortiGate.pdf). Keep in mind however that the targeted websocket not being an authentication point, nothing would prevent an attacker from bruteforcing the username.\n\nPlease contact customer support for assistance.\n\nCSF requests issue:\n\nDisable Security Fabric from the CLI:\n\nConfig system csf  \n\u00a0 \u00a0Set status disable  \nend\n\n### Acknowledgement\n\nFortinet is pleased to thank Sonny of watchTowr ([https://watchtowr.com/)](https://watchtowr.com/)) for reporting the CSF related vulnerability under responsible disclosure.\n\n### Timeline\n\n2025-01-14: Format  \n2025-01-15: Added non-standard admin account username best practice  \n2025-01-15: Clarified that IP addresses \"under attacker control\" means they are arbitrarily generated by the attacker  \n2025-01-21: Added IPS package info  \n2025-01-24: Removed IPS package info  \n2025-02-11: Added CVE-2025-24472 and its acknowledgement \n\n\tCVE-2024-55591 and CVE-2025-24472", "creation_timestamp": "2025-02-12T05:38:54.386766+00:00", "timestamp": "2025-02-12T05:38:54.386766+00:00", "related_vulnerabilities": ["CVE-2024-55591", "CVE-2025-24472"], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}