SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2024-55591

CVE-2024-55591: Fortinet FortiProxy Auth Bypass Vulnerability

CVE-2024-55591 is an authentication bypass vulnerability in Fortinet FortiProxy that allows attackers to gain super-admin privileges via crafted Node.js websocket requests. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Updated:

CVE-2024-55591 Overview

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12 allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.

Critical Impact

Remote attackers can gain unauthorized super-admin access, compromising system integrity and confidentiality.

Affected Products

  • Fortinet FortiOS (7.0.0 - 7.0.16)
  • Fortinet FortiProxy (7.0.0 - 7.0.19)
  • Fortinet FortiProxy (7.2.0 - 7.2.12)

Discovery Timeline

  • Not Available - Vulnerability discovered by Not Available
  • Not Available - Responsible disclosure to Fortinet
  • Not Available - CVE CVE-2024-55591 assigned
  • Not Available - Fortinet releases security patch
  • 2025-01-14T14:15:34.450 - CVE CVE-2024-55591 published to NVD
  • 2025-10-24T12:54:28.963 - Last updated in NVD database

Technical Details for CVE-2024-55591

Vulnerability Analysis

The vulnerability exploits a flaw in the authentication mechanism used by the Node.js websocket module in FortiOS and FortiProxy. By sending specially crafted requests, attackers can bypass typical authentication paths and gain elevated privileges.

Root Cause

The issue arises from an alternate path not being validated properly, allowing unauthorized access.

Attack Vector

The attack can be conducted over the network by remote attackers with no prior access, allowing them to send crafted websocket requests.

javascript
// Example exploitation code (sanitized)
const WebSocket = require('ws');

const socket = new WebSocket('ws://vulnerable.example.com');

socket.on('open', function open() {
    const payload = JSON.stringify({"bypass_auth": true});
    socket.send(payload);
});

Detection Methods for CVE-2024-55591

Indicators of Compromise

  • Unusual activity in super-admin logs
  • Unexpected websocket communications
  • Altered system configurations

Detection Strategies

Employ anomaly detection focusing on websocket connections and authenticate logs to identify potential bypass attempts.

Monitoring Recommendations

Configure SIEM systems to alert on unauthorized super-admin access and integrate with security solutions like SentinelOne for comprehensive monitoring and response.

How to Mitigate CVE-2024-55591

Immediate Actions Required

  • Apply patches provided by Fortinet immediately.
  • Monitor logs for unusual activity around websocket connections.
  • Restrict network access to known and trusted entities.

Patch Information

Fortinet has released patches in advisory FG-IR-24-535 for affected products.

Workarounds

Implement network-level filtering to restrict access to the vulnerable Node.js service.

bash
# Configuration example
iptables -A INPUT -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne