CVE-2024-23112
📋 TL;DR
This CVE describes an authorization bypass vulnerability in FortiOS and FortiProxy SSL-VPN that allows authenticated attackers to access other users' bookmarks through URL manipulation. Attackers can exploit user-controlled keys to bypass authorization checks and view unauthorized resources. This affects all organizations running vulnerable versions of FortiOS 6.4.7-6.4.14, 7.0.1-7.0.13, 7.2.0-7.2.6, 7.4.0-7.4.1 and FortiProxy 7.0.0-7.0.14, 7.2.0-7.2.8, 7.4.0-7.4.2.
💻 Affected Systems
- FortiOS
- FortiProxy
📦 What is this software?
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortiproxy by Fortinet
Fortiproxy by Fortinet
Fortiproxy by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could access sensitive user bookmarks containing internal resources, credentials, or privileged access URLs, potentially leading to lateral movement and data exfiltration.
Likely Case
Attackers with valid SSL-VPN credentials can view other users' bookmarks to discover internal resources, map network topology, and potentially access restricted systems.
If Mitigated
With proper network segmentation and access controls, impact is limited to unauthorized viewing of bookmark data without direct system access.
🎯 Exploit Status
Exploitation requires authenticated SSL-VPN access and involves URL manipulation. No public exploit code available at disclosure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FortiOS 7.4.2, 7.2.7, 7.0.14, 6.4.15; FortiProxy 7.4.3, 7.2.9, 7.0.15
Vendor Advisory: https://fortiguard.com/psirt/FG-IR-24-013
Restart Required: Yes
Instructions:
1. Download appropriate firmware version from Fortinet support portal. 2. Backup current configuration. 3. Upload firmware via web GUI or CLI. 4. Reboot device after successful upload. 5. Verify version after reboot.
🔧 Temporary Workarounds
Disable SSL-VPN bookmarks
allRemove or disable bookmark functionality in SSL-VPN configuration to eliminate attack surface.
config vpn ssl web portal
edit <portal_name>
unset allow-user-bookmark
next
end
Restrict SSL-VPN access
allLimit SSL-VPN access to only necessary users and implement strict authentication controls.
config user local
edit <user>
set type password
set two-factor disable
set passwd <password>
next
end
🧯 If You Can't Patch
- Implement network segmentation to isolate resources accessible via SSL-VPN bookmarks
- Enable detailed logging and monitoring of SSL-VPN access patterns for anomalous behavior
🔍 How to Verify
Check if Vulnerable:
Check FortiOS/FortiProxy version via CLI: 'get system status' or web GUI: Dashboard > System InformationCheck Version:
get system status | grep VersionVerify Fix Applied:
Verify version is patched: FortiOS >=7.4.2, 7.2.7, 7.0.14, 6.4.15 or FortiProxy >=7.4.3, 7.2.9, 7.0.15📡 Detection & Monitoring
Log Indicators:
- Multiple bookmark access attempts from single user
- Unusual URL patterns in SSL-VPN logs
- Access to bookmark resources outside normal user patterns
Network Indicators:
- Abnormal SSL-VPN session patterns
- Multiple resource access attempts in short timeframes
SIEM Query:
source="fortigate" AND "sslvpn" AND ("bookmark" OR "portal") | stats count by src_ip, user