Ethical Hacking News
Fortinet has issued a warning about the exploitation of a critical authentication bypass zero-day vulnerability in their firewalls. This vulnerability allows attackers to hijack FortiOS and FortiProxy devices, allowing them to breach enterprise networks with ease. Organizations are advised to urgently disable firewall management access on public interfaces as soon as possible and keep software up-to-date to prevent this critical security threat.
Fortinet has issued a warning about a critical authentication bypass zero-day vulnerability (CVE-2024-55591) in their firewalls. The vulnerability affects FortiOS 7.0.0 through 7.0.16, FortiProxy 7.0.0 through 7.0.19, and FortiProxy 7.2.0 through 7.2.12. Successful exploitation allows remote attackers to gain super-admin privileges by making malicious requests to the Node.js websocket module. Attackers are using this vulnerability to create rogue admin users, add them to user groups, and access internal networks. The initial access vector is not definitively confirmed, but a zero-day vulnerability is highly probable. Fortinet has released security patches for a critical hard-coded cryptographic key vulnerability (CVE-2023-37936).
In a recent and alarming development, Fortinet has issued a warning about the exploitation of a critical authentication bypass zero-day vulnerability in their firewalls. This vulnerability, tracked as CVE-2024-55591, has been exploited by attackers to hijack FortiOS and FortiProxy devices, allowing them to breach enterprise networks with ease.
The vulnerability affects FortiOS 7.0.0 through 7.0.16, FortiProxy 7.0.0 through 7.0.19, and FortiProxy 7.2.0 through 7.2.12. Successful exploitation of this zero-day allows remote attackers to gain super-admin privileges by making malicious requests to the Node.js websocket module.
According to Fortinet, attackers are using this vulnerability to create randomly generated admin or local users on compromised devices, adding them to existing SSL VPN user groups or creating new ones they also add. They are also observed adding or changing firewall policies and other settings and logging in to SSLVPN using previously created rogue accounts "to get a tunnel to the internal network."
This critical security threat has been dubbed as a mass-exploitation campaign by Arctic Wolf Labs, which says that Fortinet FortiGate firewalls with Internet-exposed management interfaces have been under attack since mid-November. The initial access vector is not definitively confirmed, but a zero-day vulnerability is highly probable.
Arctic Wolf Labs provides a detailed timeline for this CVE-2024-55591 mass-exploitation campaign, which includes four phases: vulnerability scanning (November 16, 2024 to November 23, 2024), reconnaissance (November 22, 2024 to November 27, 2024), SSL VPN configuration (December 4, 2024 to December 7, 2024), and lateral movement (December 16, 2024 to December 27, 2024).
The attackers have been observed using a variety of IP addresses in their attacks, including 1.1.1.1, 127.0.0.1, 2.2.2.2, 8.8.8.8, and 8.8.4.4. Arctic Wolf Labs also warns that organizations should urgently disable firewall management access on public interfaces as soon as possible.
Fortinet has released security patches for a critical hard-coded cryptographic key vulnerability (CVE-2023-37936). This vulnerability allows remote, unauthenticated attackers with the key to run unauthorized code via crafted cryptographic requests.
In December, Volexity reported that Chinese hackers used a custom post-exploitation toolkit dubbed 'DeepData' to exploit a zero-day vulnerability (with no CVE ID) in Fortinet's FortiClient Windows VPN client to steal credentials. Two months earlier, Mandiant revealed that a Fortinet FortiManager flaw dubbed "FortiJump" (tracked as CVE-2024-47575) had been exploited as a zero-day to breach over 50 servers since June.
This recent development highlights the importance of keeping software up-to-date and exercising caution when using management interfaces. As security threats continue to evolve, it is essential for organizations to remain vigilant and take proactive steps to protect their networks.
Related Information:
https://www.bleepingcomputer.com/news/security/fortinet-warns-of-auth-bypass-zero-day-exploited-to-hijack-firewalls/
https://nvd.nist.gov/vuln/detail/CVE-2023-37936
https://www.cvedetails.com/cve/CVE-2023-37936/
https://nvd.nist.gov/vuln/detail/CVE-2024-47575
https://www.cvedetails.com/cve/CVE-2024-47575/
https://nvd.nist.gov/vuln/detail/CVE-2024-55591
https://www.cvedetails.com/cve/CVE-2024-55591/
Published: Tue Jan 14 10:04:14 2025 by llama3.2 3B Q4_K_M
