Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN019 _____________________________________________________________________ DATE : 20/01/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running FortiOS versions prior to 7.0.17, 7.2.10, 7.4.5, 7.6.1, 6.4.16, 6.2.16, 6.0.18, FortiProxy versions prior to 7.2.13, 7.0.20. ===================================================================== https://www.fortiguard.com/psirt/FG-IR-24-535 https://www.fortiguard.com/psirt/FG-IR-24-015 https://www.fortiguard.com/psirt/FG-IR-24-266 https://www.fortiguard.com/psirt/FG-IR-24-219 _____________________________________________________________________ Authentication bypass in Node.js websocket module Summary An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module. Please note that reports show this is being exploited in the wild. Version Affected Solution FortiOS 7.6 Not affected Not Applicable FortiOS 7.4 Not affected Not Applicable FortiOS 7.2 Not affected Not Applicable FortiOS 7.0 7.0.0 through 7.0.16 Upgrade to 7.0.17 or above FortiOS 6.4 Not affected Not Applicable FortiProxy 7.6 Not affected Not Applicable FortiProxy 7.4 Not affected Not Applicable FortiProxy 7.2 7.2.0 through 7.2.12 Upgrade to 7.2.13 or above FortiProxy 7.0 7.0.0 through 7.0.19 Upgrade to 7.0.20 or above FortiProxy 2.0 Not affected Not Applicable Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool IoCs The following log entries are possible IOC's: Following login activity log with random scrip and dstip: type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1733486785" user="admin" ui="jsconsole" method="jsconsole" srcip=1.1.1.1 dstip=1.1.1.1 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from jsconsole" Following admin creation log with seemingly randomly generated user name and source IP: type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="jsconsole(127.0.0.1)" action="Add" cfgtid=1411317760 cfgpath="system.admin" cfgobj="vOcep" cfgattr="password[*]accprofile[super_admin]vdom[root]" msg="Add system.admin vOcep" The following IP addresses were mostly found used by attackers in above logs: 1.1.1.1 127.0.0.1 2.2.2.2 8.8.8.8 8.8.4.4 Please note that the above IP parameters are not the actual source IP addresses of the attack traffic, they are generated arbitrarily by the attacker as a parameter. Because of this they should not be used for any blocking. Please note as well that sn and cfgtid are not relevant to the attack. The operations performed by the Threat Actor (TA) in the cases we observed were part or all of the below: - Creating an admin account on the device with random user name - Creating a Local user account on the device with random user name - Creating a user group or adding the above local user to an existing sslvpn user group - Adding/changing other settings (firewall policy, firewall address, ...) - Logging in the sslvpn with the above added local users to get a tunnel to the internal network. Admin or Local user created by the TA is randomly generated. e.g: Gujhmk Ed8x4k G0xgey Pvnw81 Alg7c4 Ypda8a Kmi8p4 1a2n6t 8ah1t6 M4ix9f ...etc... Additionally, the TA has been seen using the following IP addresses: 45.55.158.47 [most used IP address] 87.249.138.47 155.133.4.175 37.19.196.65 149.22.94.37 Workaround Disable HTTP/HTTPS administrative interface OR Limit IP addresses that can reach the administrative interface via local-in policies: config firewall address edit "my_allowed_addresses" set subnet end Then create an Address Group: config firewall addrgrp edit "MGMT_IPs" set member "my_allowed_addresses" end Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1): config firewall local-in-policy edit 1 set intf port1 set srcaddr "MGMT_IPs" set dstaddr "all" set action accept set service HTTPS HTTP set schedule "always" set status enable next edit 2 set intf "all" set srcaddr "all" set dstaddr "all" set action deny set service HTTPS HTTP set schedule "always" set status enable end If using non default ports, create appropriate service object for GUI administrative access: config firewall service custom edit GUI_HTTPS set tcp-portrange 443 next edit GUI_HTTP set tcp-portrange 80 end Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 below. Please note that the trusthost feature achieves the same as the local-in policies above only if all GUI users are configured with it. Therefore, the local-in policies above are the preferred workaround. Please note as well that an attacker needs to know an admin account's username to perform the attack and log in the CLI. Therefore, having a non-standard and non-guessable username for admin accounts does offer some protection, and is, in general, a best practice. Keep in mind however that the targeted websocket not being an authentication point, nothing would prevent an attacker from bruteforcing the username. Please contact customer support for assistance. Timeline 2025-01-14: Format 2025-01-15: Added non-standard admin account username best practice 2025-01-15: Clarified that IP addresses "under attacker control" means they are arbitrarily generated by the attacker IR Number FG-IR-24-535 Published Date Jan 14, 2025 Updated Date Jan 15, 2025 Component OTHERS Severity Critical CVSSv3 Score 9.6 Impact Execute unauthorized code or commands CVE ID CVE-2024-55591 CVRF Download ___________________________________________________________ Out-of-bound Write in sslvpnd Summary A out-of-bounds write vulnerability [CWE-787] in FortiOS and FortiProxy may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests. Workaround : disable SSL VPN (disable webmode is NOT a valid workaround) Note: This is potentially being exploited in the wild. Version Affected Solution FortiOS 7.4 7.4.0 through 7.4.2 Upgrade to 7.4.3 or above FortiOS 7.2 7.2.0 through 7.2.6 Upgrade to 7.2.7 or above FortiOS 7.0 7.0.0 through 7.0.13 Upgrade to 7.0.14 or above FortiOS 6.4 6.4.0 through 6.4.14 Upgrade to 6.4.15 or above FortiOS 6.2 6.2.0 through 6.2.15 Upgrade to 6.2.16 or above FortiOS 6.0 6.0.0 through 6.0.17 Upgrade to 6.0.18 or above FortiProxy 7.4 7.4.0 through 7.4.2 Upgrade to 7.4.3 or above FortiProxy 7.2 7.2.0 through 7.2.8 Upgrade to 7.2.9 or above FortiProxy 7.0 7.0.0 through 7.0.14 Upgrade to 7.0.15 or above FortiProxy 2.0 2.0.0 through 2.0.13 Upgrade to 2.0.14 or above FortiProxy 1.2 1.2 all versions Migrate to a fixed release FortiProxy 1.1 1.1 all versions Migrate to a fixed release FortiProxy 1.0 1.0 all versions Migrate to a fixed release Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool Virtual Patch named "HTTP.Chunk.Length.Invalid." is available in FMWP db update 24.020 Timeline 2024-02-08: Initial publication 2024-02-23: Added other fixed versions 2025-01-15: Added IPS package info IR Number FG-IR-24-015 Published Date Feb 8, 2024 Updated Date Jan 15, 2025 Severity Critical CVSSv3 Score 9.6 Impact Execute unauthorized code or commands CVE ID CVE-2024-21762 CVRF Download Language English _____________________________________________________________________ Out of bounds read in ipsec ike Summary An Out-of-bounds Read vulnerability [CWE-125] in FortiOS and FortiSASE FortiOS tenant IPsec IKE service may allow an unauthenticated remote attacker to trigger memory consumption leading to Denial of Service via crafted requests. Version Affected Solution FortiOS 7.6 7.6.0 Upgrade to 7.6.1 or above FortiOS 7.4 7.4.0 through 7.4.4 Upgrade to 7.4.5 or above FortiOS 7.2 7.2.0 through 7.2.9 Upgrade to 7.2.10 or above FortiOS 7.0 Not affected Not Applicable FortiOS 6.4 Not affected Not Applicable Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool Fortinet in Q4/24 has remediated this issue in FortiSASE version 24.3.c and hence the customers need not perform any action. Virtual Patch named "FG-VD-10007169.0day." is available in FMWPdb update 24.111 Acknowledgement Fortinet is pleased to thank n3k & Yue Liu from TIANGONG Team of Legendsec at QI-ANXIN Group for reporting this vulnerability under responsible disclosure. Timeline 2025-01-14: Initial publication 2025-01-15: Added IPS package info IR Number FG-IR-24-266 Published Date Jan 14, 2025 Updated Date Jan 15, 2025 Component CLI Severity High CVSSv3 Score 7.5 Impact Denial of service CVE ID CVE-2024-46670 CVRF Download _____________________________________________________________________ Multipart Form Data Denial of Service Summary An allocation of resources without limits or throttling vulnerability [CWE-770] in some FortiOS API endpoints may allow an unauthenticated remote user to consume all system memory via multiple large file uploads. Version Affected Solution FortiOS 7.6 Not affected Not Applicable FortiOS 7.4 7.4.0 through 7.4.4 Upgrade to 7.4.5 or above FortiOS 7.2 7.2.0 through 7.2.8 Upgrade to 7.2.9 or above FortiOS 7.0 7.0.0 through 7.0.15 Upgrade to 7.0.16 or above FortiOS 6.4 6.4.0 through 6.4.15 Upgrade to upcoming 6.4.16 or above Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool Acknowledgement Fortinet is pleased to thank Ben Barnea from Akamai for reporting this vulnerability under responsible disclosure. Timeline 2025-01-14: Initial publication IR Number FG-IR-24-219 Published Date Jan 14, 2025 Component GUI Severity High CVSSv3 Score 7.1 Impact Denial of service CVE ID CVE-2024-46668 CVRF Download ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================