Summary
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
Affected Products
Version | Affected | Solution |
FortiOS 7.6 | Not affected | Not Applicable |
FortiOS 7.4 | Not affected | Not Applicable |
FortiOS 7.2 | Not affected | Not Applicable |
FortiOS 7.0 | 7.0.0 through 7.0.16 | Upgrade to 7.0.17 or above |
FortiOS 6.4 | Not affected | Not Applicable |
FortiProxy 7.6 | Not affected | Not Applicable |
FortiProxy 7.4 | Not affected | Not Applicable |
FortiProxy 7.2 | 7.2.0 through 7.2.12 | Upgrade to 7.2.13 or above |
FortiProxy 7.0 | 7.0.0 through 7.0.19 | Upgrade to 7.0.20 or above |
FortiProxy 2.0 | Not affected | Not Applicable |
Recommendations
Follow the recommended upgrade path using Fortinet tool at:
https[:]//docs[.]fortinet[.]com/upgrade-tool
References
- Fortinet: https[:]//fortiguard[.]fortinet[.]com/psirt/FG-IR-24-535
- CVE ORG: https[:]//www[.]cve[.]org/CVERecord?id=CVE-2024-55591