CVE-2024-52965: Fortinet FortiOS and FortiProxy Authentication Bypass via Invalid Certificate

A critical vulnerability has been discovered in Fortinet's FortiOS and FortiProxy, potentially allowing attackers to bypass authentication mechanisms. This issue could lead to unauthorized access to sensitive systems and data. This blog post provides an overview of the vulnerability, its potential impact, and recommended mitigation steps.

Vulnerability Details

CVE ID: CVE-2024-52965
Description: A missing critical step in authentication [CWE-304] in Fortinet FortiOS and FortiProxy allows an API-user using api-key + PKI user certificate authentication to login even if the certificate is invalid.
CVSS Score: 7.2 HIGH
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS Explanation: This vulnerability has a high CVSS score because it can be exploited remotely (AV:N) with low complexity (AC:L). While it requires high privileges (PR:H) initially, successful exploitation could grant an attacker complete control over the affected system (C:H/I:H/A:H). The user doesn't need to take any interaction (UI:N), and the scope is unchanged(S:U)
Exploit Requirements: Requires a valid API key and a PKI user certificate, even if the certificate is invalid.

Affected Products and Versions

FortiOS version 7.6.0 through 7.6.1
FortiOS version 7.4.0 through 7.4.5
FortiOS version 7.2.0 through 7.2.10
FortiOS before 7.0.16
FortiProxy version 7.6.0 through 7.6.1
FortiProxy version 7.4.0 through 7.4.8
FortiProxy version 7.2.0 through 7.2.13
FortiProxy before 7.0.20

CWE

CWE-304: Missing Critical Step in Authentication
Explanation: This CWE describes a situation where a critical step or check is missing in the authentication process, allowing attackers to bypass security measures and gain unauthorized access. In this case, the system fails to properly validate the PKI user certificate.

Timeline of Events

2024: Vulnerability Discovered
2025-07-08: CVE Published

Exploitability & Real-World Risk

The vulnerability is exploitable if an attacker possesses a valid API key and presents any PKI certificate, even an invalid one. This weakness could be leveraged to gain unauthorized administrative access to FortiOS or FortiProxy systems. The real-world risk is significant, as it allows attackers to bypass intended security controls, potentially leading to data breaches, system compromise, and denial of service.

Recommendations

Fortinet has likely released patches to address this vulnerability. Users of affected FortiOS and FortiProxy versions are strongly advised to take the following actions:

Upgrade: Upgrade to the latest stable version of FortiOS and FortiProxy as soon as possible.
Review Configurations: Review your API key and PKI certificate authentication configurations to ensure they are properly implemented and secured.
Monitor Logs: Closely monitor system logs for any suspicious activity related to API authentication.

Technical Insight

The vulnerability lies in the insufficient validation of the PKI user certificate during the API authentication process. The system does not properly verify the certificate's validity, allowing an attacker to use a malformed or expired certificate in conjunction with a valid API key to gain unauthorized access.

Credit to Researcher(s)

Fortinet PSIRT

References

Fortinet Advisory FG-IR-24-511

CVE-2024-52965: Fortinet FortiOS and FortiProxy Authentication Bypass via Invalid Certificate

CVE-2024-52965: Fortinet FortiOS and FortiProxy Authentication Bypass via Invalid Certificate

Vulnerability Details

Affected Products and Versions

CWE

Timeline of Events

Exploitability & Real-World Risk

Recommendations

Technical Insight

Credit to Researcher(s)

References

Tags

Timeline

References

Post a Comment

Contact Form