CVE-2024-23107
📋 TL;DR
This vulnerability allows authenticated attackers on FortiWeb web application firewalls to read password hashes of other administrators through CLI commands. This affects FortiWeb versions 7.4.0, 7.2.4 and below, 7.0.8 and below, and all 6.3 versions. Attackers must already have administrative access to exploit this vulnerability.
💻 Affected Systems
- FortiWeb Web Application Firewall
📦 What is this software?
Fortiweb by Fortinet
Fortiweb by Fortinet
Fortiweb by Fortinet
Fortiweb by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious administrator could harvest password hashes of other administrators, potentially crack them offline, and gain unauthorized access to additional administrative accounts, leading to complete system compromise.
Likely Case
An attacker with existing administrative access uses CLI commands to view other administrators' password hashes, potentially enabling lateral movement within the administrative user base.
If Mitigated
With proper access controls and monitoring, the impact is limited to information disclosure without enabling further system compromise.
🎯 Exploit Status
Exploitation requires authenticated administrative access. The vulnerability involves simple CLI commands to read password hashes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.4.1, 7.2.5, 7.0.9, 6.3.20
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-23-191
Restart Required: Yes
Instructions:
1. Download the appropriate firmware update from Fortinet support portal. 2. Backup current configuration. 3. Apply firmware update through web interface or CLI. 4. Reboot the FortiWeb appliance. 5. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Administrative Access
allLimit administrative access to only trusted personnel and implement strict access controls.
Monitor CLI Activity
allEnable detailed logging of CLI commands and monitor for suspicious hash viewing activities.
config log syslogd setting
set status enable
set server <IP>
end
🧯 If You Can't Patch
- Implement strict administrative access controls and principle of least privilege.
- Enable comprehensive logging and monitoring of all administrative CLI activities.
🔍 How to Verify
Check if Vulnerable:
Check FortiWeb version via CLI: 'get system status' and compare against affected versions.Check Version:
get system statusVerify Fix Applied:
Verify firmware version is 7.4.1, 7.2.5, 7.0.9, or 6.3.20 or higher using 'get system status' command.📡 Detection & Monitoring
Log Indicators:
- Unusual CLI commands accessing administrator password information
- Multiple failed login attempts following hash exposure
Network Indicators:
- Unusual administrative access patterns
- Traffic to password cracking services
SIEM Query:
source="fortiweb" AND (event_type="cli_command" AND command="*password*" OR command="*hash*")