On January 15, Fortinet published a new PSIRT information regarding a newly discovered authentication bypass on FortiGate and FortiProxy when the administrative interface is publicly accessible.
Update January 16: FortiOS 7.0.17 which contains a bug fix, has been released.
Update January 17: Release notes have been published for FortiOS 7.0.17.
SSLVPN: Please be aware that the SSL VPN web and tunnel mode feature will not be available from the GUI or the CLI on the FortiGate 90G and 91G models. Settings will not be upgraded from previous versions. Consider migrating to using IPsec Dialup VPN for remote access.
Fortinet PSIRT information: https://fortiguard.fortinet.com/psirt/FG-IR-24-535
IR number: FG-IR-24-535
CVE number: CVE-2024-55591
CVSSv3 score: 9.6
The vulnerability allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
Since the vulnerability is already being exploited, we urgently recommend the following:
- FortiOS release 7.0.17 has been released on January 16, install it as soon as possible or use the workarounds described in the PSIRT information or described below.
- Install FortiProxy versions 7.0.20 or 7.2.13.
- Workaorund: Disable HTTP/HTTPS publicly accessible administrative interface or limit IP addresses that can reach the administrative interface via local-in policies as a workaround. Details can be found in the PSIRT information.
