Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-23112

CVE-2024-23112: Fortinet FortiProxy Auth Bypass Vulnerability

CVE-2024-23112 is an authentication bypass flaw in Fortinet FortiProxy SSL-VPN that allows attackers to access other users' bookmarks via URL manipulation. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2024-23112 Overview

An authorization bypass through user-controlled key vulnerability (CWE-639) has been identified in Fortinet FortiOS and FortiProxy SSL-VPN. This vulnerability allows an authenticated attacker to gain unauthorized access to another user's bookmarks through URL manipulation, potentially exposing sensitive configuration data and internal network resources.

Critical Impact

Authenticated attackers can access other users' SSL-VPN bookmarks, potentially revealing internal network destinations, credentials, and sensitive organizational resources.

Affected Products

  • Fortinet FortiOS versions 7.4.0 through 7.4.1
  • Fortinet FortiOS versions 7.2.0 through 7.2.6, 7.0.1 through 7.0.13, 6.4.7 through 6.4.14
  • Fortinet FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14

Discovery Timeline

  • 2024-03-12 - CVE-2024-23112 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-23112

Vulnerability Analysis

This vulnerability is classified as an Insecure Direct Object Reference (IDOR) issue, specifically categorized under CWE-639 (Authorization Bypass Through User-Controlled Key). The flaw exists within the SSL-VPN bookmark functionality of both FortiOS and FortiProxy products.

The vulnerability allows authenticated users to manipulate URL parameters or request identifiers to access bookmarks belonging to other users on the same system. SSL-VPN bookmarks typically contain sensitive information including internal server addresses, application URLs, and potentially saved credentials or session tokens. Exploitation requires valid authentication to the SSL-VPN portal, limiting the attack surface to authenticated users, but enables horizontal privilege escalation to access peer user data.

Root Cause

The root cause stems from insufficient authorization validation when processing bookmark access requests. The SSL-VPN web portal fails to properly verify that the requesting user owns or has legitimate access to the bookmark resource being requested. Instead of enforcing user-to-bookmark ownership checks, the application accepts user-supplied identifiers directly, allowing cross-user bookmark access through predictable or enumerable reference values.

Attack Vector

The attack vector is network-based and requires low complexity to execute. An authenticated attacker with valid SSL-VPN credentials can manipulate bookmark identifiers within HTTP requests to the FortiOS or FortiProxy SSL-VPN portal. By modifying resource identifiers in URLs or API calls, attackers can enumerate and retrieve bookmarks belonging to other authenticated users. This attack does not require user interaction and can be performed remotely over the network interface.

The exploitation mechanism involves:

  1. Authenticating to the SSL-VPN portal with valid credentials
  2. Identifying the parameter or identifier used to reference bookmarks
  3. Manipulating the identifier value to reference another user's bookmark
  4. Retrieving sensitive bookmark data including internal URLs and configurations

Detection Methods for CVE-2024-23112

Indicators of Compromise

  • Unusual SSL-VPN bookmark access patterns showing users accessing resources outside their normal bookmark set
  • Anomalous HTTP requests to bookmark endpoints with sequential or enumerated identifier values
  • Authentication logs showing single user accounts querying multiple distinct bookmark identifiers in rapid succession

Detection Strategies

  • Monitor SSL-VPN access logs for bookmark retrieval requests with manipulated or unusual identifier parameters
  • Implement anomaly detection for users accessing bookmark counts exceeding their assigned configurations
  • Deploy web application firewall rules to detect parameter tampering patterns on bookmark endpoints
  • Enable verbose logging on FortiOS/FortiProxy to capture detailed bookmark access events

Monitoring Recommendations

  • Configure centralized log collection for FortiOS and FortiProxy SSL-VPN events
  • Establish baseline bookmark access patterns per user and alert on deviations
  • Review SSL-VPN session logs regularly for evidence of horizontal access attempts
  • Integrate Fortinet logs with SIEM platforms for correlation with other authentication anomalies

How to Mitigate CVE-2024-23112

Immediate Actions Required

  • Upgrade FortiOS to version 7.4.2 or later, 7.2.7 or later, 7.0.14 or later, or 6.4.15 or later depending on your version branch
  • Upgrade FortiProxy to version 7.4.3 or later, 7.2.9 or later, or 7.0.15 or later depending on your version branch
  • Review SSL-VPN bookmark configurations and audit user access permissions
  • Monitor SSL-VPN logs for any evidence of exploitation prior to patching

Patch Information

Fortinet has released security patches addressing this vulnerability. Detailed patch information and upgrade guidance is available in the FortiGuard Security Advisory FG-IR-24-013. Organizations should apply the appropriate firmware update for their deployed version branch as soon as possible.

Workarounds

  • Restrict SSL-VPN access to trusted networks or implement additional network-level access controls while awaiting patching
  • Disable or limit SSL-VPN bookmark functionality if not operationally required
  • Implement additional authentication factors for SSL-VPN access to reduce risk from compromised credentials
  • Conduct periodic audits of SSL-VPN bookmark contents to identify and remove sensitive stored data
bash
# Example: Verify current FortiOS version
get system status

# Example: Check FortiProxy version
diagnose sys top

# Restrict SSL-VPN access to specific source IPs (interim control)
config vpn ssl settings
    set source-address "trusted-network-group"
end

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne