CVE-2021-24008
📋 TL;DR
This vulnerability allows remote unauthenticated attackers to obtain sensitive software version information from multiple Fortinet products by reading a JavaScript file. This affects FortiDDoS, FortiDDoS-CM, FortiVoice, FortiRecorder, and FortiMail systems running vulnerable versions. The exposed information could help attackers plan targeted attacks against these systems.
💻 Affected Systems
- FortiDDoS
- FortiDDoS-CM
- FortiVoice
- FortiRecorder
- FortiMail
📦 What is this software?
Fortiddos by Fortinet
Fortiddos Cm by Fortinet
Fortiddos Cm by Fortinet
Fortiddos Cm by Fortinet
Fortiddos Cm by Fortinet
Fortiddos Cm by Fortinet
Fortimail by Fortinet
Fortimail by Fortinet
Fortimail by Fortinet
Fortirecorder by Fortinet
Fortivoice by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Attackers use version information to identify and exploit other known vulnerabilities in the specific Fortinet product versions, potentially leading to full system compromise.
Likely Case
Attackers gather reconnaissance data to identify vulnerable systems for targeted attacks, increasing the risk of subsequent exploitation.
If Mitigated
Information disclosure limited to version data only, with no direct system access or data breach.
🎯 Exploit Status
Exploitation requires only HTTP access to retrieve the JavaScript file containing version information.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FortiDDoS: 5.5.0; FortiDDoS-CM: 5.4.0; FortiVoice: 6.0.7; FortiRecorder: 6.0.4; FortiMail: 6.4.2, 6.2.5, 6.0.10
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-20-105
Restart Required: Yes
Instructions:
1. Download the appropriate firmware update from Fortinet support portal. 2. Backup current configuration. 3. Apply firmware update via web interface or CLI. 4. Reboot the appliance. 5. Verify the update was successful.
🔧 Temporary Workarounds
Network Access Control
allRestrict access to management interfaces using firewall rules or network segmentation
Web Application Firewall Rules
allBlock access to JavaScript files containing version information
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems from untrusted networks
- Deploy intrusion detection systems to monitor for reconnaissance attempts against these systems
🔍 How to Verify
Check if Vulnerable:
Access the web interface and inspect JavaScript files for version information disclosureCheck Version:
show system status (CLI) or check System Information in web interfaceVerify Fix Applied:
Verify firmware version is updated to patched version and attempt to access JavaScript files to confirm version information is no longer exposed📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP requests to JavaScript files from external IPs
- Multiple failed authentication attempts following JavaScript file access
Network Indicators:
- HTTP GET requests to .js files from external sources
- Increased scanning activity against Fortinet management interfaces
SIEM Query:
source_ip IN external_ips AND dest_port=443 AND uri_path CONTAINS '.js' AND user_agent NOT IN known_scanners