CVE-2024-46667 Overview
CVE-2024-46667 is a resource exhaustion vulnerability in Fortinet FortiSIEM that allows unauthenticated remote attackers to deny valid Transport Layer Security (TLS) traffic. The flaw stems from allocation of resources without limits or throttling [CWE-770]. An attacker can consume all available TLS connections, blocking legitimate clients from establishing sessions with the FortiSIEM service. The vulnerability affects FortiSIEM versions 5.3, 5.4, 6.x, 7.0, and 7.1.0 through 7.1.5. Fortinet published advisory FG-IR-24-164 to address the issue. The Exploit Prediction Scoring System (EPSS) rates this CVE at 0.638% with a 70.858 percentile.
Critical Impact
Unauthenticated network attackers can exhaust TLS connection slots on FortiSIEM, denying service to all legitimate TLS clients without requiring credentials or user interaction.
Affected Products
- Fortinet FortiSIEM 5.3 (all versions) and 5.4 (all versions)
- Fortinet FortiSIEM 6.x (all versions) and 7.0 (all versions)
- Fortinet FortiSIEM 7.1.0 through 7.1.5
Discovery Timeline
- 2025-01-14 - CVE-2024-46667 published to the National Vulnerability Database (NVD)
- 2025-07-16 - Last updated in NVD database
Technical Details for CVE-2024-46667
Vulnerability Analysis
The vulnerability resides in the TLS connection handling logic of FortiSIEM. The service accepts incoming TLS handshakes without enforcing per-source rate limits or a hard ceiling on concurrent connection slots. An attacker can open many TLS sessions and hold them open, exhausting the connection pool. Once the pool is saturated, the service rejects further TLS handshakes from valid clients. This breaks log ingestion, agent communication, and administrative access to the FortiSIEM appliance.
Root Cause
The root cause is improper resource management classified under [CWE-770]: Allocation of Resources Without Limits or Throttling. The TLS listener does not bound the number of concurrent connections or apply throttling per remote endpoint. There is no backpressure mechanism to reclaim idle or stalled handshakes. As a result, an attacker controls how much of the connection budget is consumed.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker reachable over the network repeatedly initiates TLS handshakes against the FortiSIEM TLS service. Connections are left open or partially established to occupy slots in the connection table. Legitimate agents, collectors, and administrators are then unable to establish new TLS sessions, producing a denial of service condition. No verified public proof-of-concept exploit is available at this time. See the Fortinet Security Advisory FG-IR-24-164 for technical details.
Detection Methods for CVE-2024-46667
Indicators of Compromise
- Sudden spike in concurrent TLS sessions to FortiSIEM ports from a single source or small set of sources.
- Legitimate agents and collectors reporting TLS handshake timeouts or connection refusals.
- Half-open or long-lived idle TLS sessions accumulating on the FortiSIEM appliance.
- Gaps in log ingestion timelines correlating with connection exhaustion events.
Detection Strategies
- Monitor FortiSIEM TLS listener metrics for connection-table saturation and handshake failure rates.
- Correlate firewall and network flow data to identify sources generating disproportionate TLS connection attempts.
- Alert on sustained deviations from baseline TLS connection counts to FortiSIEM management interfaces.
Monitoring Recommendations
- Track per-source connection counts and apply alerting thresholds at network egress and ingress points.
- Enable connection-state logging on upstream load balancers or firewalls fronting FortiSIEM.
- Review FortiSIEM system health and ingestion latency dashboards for anomalies tied to TLS availability.
How to Mitigate CVE-2024-46667
Immediate Actions Required
- Upgrade FortiSIEM to a fixed release as specified in Fortinet advisory FG-IR-24-164.
- Restrict network exposure of the FortiSIEM TLS service to trusted management and collector subnets only.
- Place a rate-limiting device or reverse proxy in front of FortiSIEM to cap concurrent TLS connections per source.
- Audit existing TLS connections and terminate unrecognized long-lived sessions.
Patch Information
Fortinet has published advisory FG-IR-24-164 with fixed version guidance for affected FortiSIEM branches. Administrators should consult the Fortinet Security Advisory FG-IR-24-164 for the specific patched releases applicable to versions 5.3, 5.4, 6.x, 7.0, and 7.1.x.
Workarounds
- Apply firewall access control lists to limit which source IPs can initiate TLS connections to FortiSIEM.
- Use a network device to enforce connection-rate limits and idle-session timeouts on TLS traffic to the appliance.
- Segment FortiSIEM management interfaces onto a dedicated administrative VLAN with strict ingress filtering.
# Example: restrict TLS access to FortiSIEM using iptables on an upstream host
iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m connlimit --connlimit-above 20 -j REJECT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
