CVE-2021-24019
📋 TL;DR
This vulnerability allows attackers to reuse unexpired admin session IDs in FortiClientEMS to gain administrative privileges. It affects organizations using FortiClientEMS versions 6.4.2 and below or 6.2.8 and below. Attackers need to obtain valid session IDs through other means first.
💻 Affected Systems
- FortiClient Enterprise Management Server (EMS)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full administrative compromise of FortiClientEMS, allowing attackers to manage endpoints, deploy malicious configurations, and access sensitive endpoint management data.
Likely Case
Privilege escalation to admin level if an attacker obtains a valid session ID through session hijacking or credential theft.
If Mitigated
Limited impact with proper session management, network segmentation, and monitoring in place.
🎯 Exploit Status
Requires obtaining valid admin session IDs first through other attacks like session hijacking, MITM, or credential theft.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.4.3 or 6.2.9
Vendor Advisory: https://fortiguard.com/advisory/FG-IR-20-072
Restart Required: Yes
Instructions:
1. Download FortiClientEMS 6.4.3 or 6.2.9 from Fortinet support portal. 2. Backup current configuration. 3. Install the update following Fortinet upgrade guide. 4. Restart the EMS service.
🔧 Temporary Workarounds
Session Timeout Reduction
allReduce session timeout values to minimize window for session reuse
Configure via FortiClientEMS web interface: System > Settings > Session Timeout
Network Segmentation
allIsolate FortiClientEMS management interface from untrusted networks
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the EMS management interface
- Enable detailed logging and monitoring for unusual admin session activity
🔍 How to Verify
Check if Vulnerable:
Check FortiClientEMS version via web interface: Dashboard > System InformationCheck Version:
On EMS server: fc-ems-ctl --versionVerify Fix Applied:
Verify version is 6.4.3 or higher (for 6.4.x) or 6.2.9 or higher (for 6.2.x)📡 Detection & Monitoring
Log Indicators:
- Multiple admin sessions from different IPs
- Admin sessions with unusual timing patterns
- Failed login attempts followed by successful session reuse
Network Indicators:
- Unusual admin API calls from unexpected sources
- Session ID reuse across different client IPs
SIEM Query:
source="forticlient-ems" AND (event_type="admin_login" AND src_ip!=expected_admin_ip) OR (session_id COUNT BY user > 1)