CVE-2024-23112 Overview
An authorization bypass through user-controlled key vulnerability (CWE-639) has been identified in Fortinet FortiOS and FortiProxy SSL-VPN. This vulnerability allows an authenticated attacker to gain unauthorized access to another user's bookmarks through URL manipulation, potentially exposing sensitive configuration data and internal network resources.
Critical Impact
Authenticated attackers can access other users' SSL-VPN bookmarks, potentially revealing internal network destinations, credentials, and sensitive organizational resources.
Affected Products
- Fortinet FortiOS versions 7.4.0 through 7.4.1
- Fortinet FortiOS versions 7.2.0 through 7.2.6, 7.0.1 through 7.0.13, 6.4.7 through 6.4.14
- Fortinet FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14
Discovery Timeline
- 2024-03-12 - CVE-2024-23112 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-23112
Vulnerability Analysis
This vulnerability is classified as an Insecure Direct Object Reference (IDOR) issue, specifically categorized under CWE-639 (Authorization Bypass Through User-Controlled Key). The flaw exists within the SSL-VPN bookmark functionality of both FortiOS and FortiProxy products.
The vulnerability allows authenticated users to manipulate URL parameters or request identifiers to access bookmarks belonging to other users on the same system. SSL-VPN bookmarks typically contain sensitive information including internal server addresses, application URLs, and potentially saved credentials or session tokens. Exploitation requires valid authentication to the SSL-VPN portal, limiting the attack surface to authenticated users, but enables horizontal privilege escalation to access peer user data.
Root Cause
The root cause stems from insufficient authorization validation when processing bookmark access requests. The SSL-VPN web portal fails to properly verify that the requesting user owns or has legitimate access to the bookmark resource being requested. Instead of enforcing user-to-bookmark ownership checks, the application accepts user-supplied identifiers directly, allowing cross-user bookmark access through predictable or enumerable reference values.
Attack Vector
The attack vector is network-based and requires low complexity to execute. An authenticated attacker with valid SSL-VPN credentials can manipulate bookmark identifiers within HTTP requests to the FortiOS or FortiProxy SSL-VPN portal. By modifying resource identifiers in URLs or API calls, attackers can enumerate and retrieve bookmarks belonging to other authenticated users. This attack does not require user interaction and can be performed remotely over the network interface.
The exploitation mechanism involves:
- Authenticating to the SSL-VPN portal with valid credentials
- Identifying the parameter or identifier used to reference bookmarks
- Manipulating the identifier value to reference another user's bookmark
- Retrieving sensitive bookmark data including internal URLs and configurations
Detection Methods for CVE-2024-23112
Indicators of Compromise
- Unusual SSL-VPN bookmark access patterns showing users accessing resources outside their normal bookmark set
- Anomalous HTTP requests to bookmark endpoints with sequential or enumerated identifier values
- Authentication logs showing single user accounts querying multiple distinct bookmark identifiers in rapid succession
Detection Strategies
- Monitor SSL-VPN access logs for bookmark retrieval requests with manipulated or unusual identifier parameters
- Implement anomaly detection for users accessing bookmark counts exceeding their assigned configurations
- Deploy web application firewall rules to detect parameter tampering patterns on bookmark endpoints
- Enable verbose logging on FortiOS/FortiProxy to capture detailed bookmark access events
Monitoring Recommendations
- Configure centralized log collection for FortiOS and FortiProxy SSL-VPN events
- Establish baseline bookmark access patterns per user and alert on deviations
- Review SSL-VPN session logs regularly for evidence of horizontal access attempts
- Integrate Fortinet logs with SIEM platforms for correlation with other authentication anomalies
How to Mitigate CVE-2024-23112
Immediate Actions Required
- Upgrade FortiOS to version 7.4.2 or later, 7.2.7 or later, 7.0.14 or later, or 6.4.15 or later depending on your version branch
- Upgrade FortiProxy to version 7.4.3 or later, 7.2.9 or later, or 7.0.15 or later depending on your version branch
- Review SSL-VPN bookmark configurations and audit user access permissions
- Monitor SSL-VPN logs for any evidence of exploitation prior to patching
Patch Information
Fortinet has released security patches addressing this vulnerability. Detailed patch information and upgrade guidance is available in the FortiGuard Security Advisory FG-IR-24-013. Organizations should apply the appropriate firmware update for their deployed version branch as soon as possible.
Workarounds
- Restrict SSL-VPN access to trusted networks or implement additional network-level access controls while awaiting patching
- Disable or limit SSL-VPN bookmark functionality if not operationally required
- Implement additional authentication factors for SSL-VPN access to reduce risk from compromised credentials
- Conduct periodic audits of SSL-VPN bookmark contents to identify and remove sensitive stored data
# Example: Verify current FortiOS version
get system status
# Example: Check FortiProxy version
diagnose sys top
# Restrict SSL-VPN access to specific source IPs (interim control)
config vpn ssl settings
set source-address "trusted-network-group"
end
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
