CVE-2024-23663 – This vulnerability allows attackers to create u... (How to Fix)

Q: What is the severity of CVE-2024-23663?

CVE-2024-23663 has a CVSS score of 8.8 (HIGH). This vulnerability allows attackers to create users with elevated privileges on Fortinet FortiExtender devices via crafted HTTP requests. It affects multiple versions of FortiExtender firmware. Organizations using affected versions are at risk of unauthorized administrative access.

📋 TL;DR

This vulnerability allows attackers to create users with elevated privileges on Fortinet FortiExtender devices via crafted HTTP requests. It affects multiple versions of FortiExtender firmware. Organizations using affected versions are at risk of unauthorized administrative access.

💻 Affected Systems

Products:

Fortinet FortiExtender

Versions: 4.1.1 - 4.1.9, 4.2.0 - 4.2.6, 5.3.2, 7.0.0 - 7.0.4, 7.2.0 - 7.2.4, 7.4.0 - 7.4.2

Operating Systems: FortiOS-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All affected versions with default configurations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full device compromise leading to network infiltration, data exfiltration, and use as pivot point for lateral movement.

🟠

Likely Case

Unauthorized administrative access allowing configuration changes, network monitoring, and credential harvesting.

🟢

If Mitigated

Limited impact due to network segmentation and strict access controls preventing exploitation attempts.

🌐 Internet-Facing: HIGH - FortiExtender devices often have web interfaces exposed to manage connectivity.

🏢 Internal Only: MEDIUM - Requires network access but could be exploited by internal threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires network access to the FortiExtender management interface. Crafted HTTP request needed but no authentication required for the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions 7.4.3, 7.2.5, 7.0.5, 5.3.3, 4.2.7, and 4.1.10

Vendor Advisory: https://fortiguard.com/psirt/FG-IR-23-459

Restart Required: Yes

Instructions:

1. Download appropriate firmware version from Fortinet support portal. 2. Backup current configuration. 3. Upload firmware via web interface or CLI. 4. Reboot device after installation.

🔧 Temporary Workarounds

Restrict Management Access

all

Limit access to FortiExtender management interface to trusted IP addresses only

config system interface
edit <interface_name>
set allowaccess https ssh
set trust-ip-1 <trusted_ip>
end

Disable Unused Services

all

Disable HTTP/HTTPS management if not required for operations

config system interface
edit <interface_name>
set allowaccess ssh
end

🧯 If You Can't Patch

Implement strict network segmentation to isolate FortiExtender devices
Enable detailed logging and monitor for unauthorized user creation attempts

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface (System > Dashboard) or CLI command: get system status

Check Version:

get system status | grep Version

Verify Fix Applied:

Verify firmware version is updated to patched version and test user creation functionality

📡 Detection & Monitoring

Log Indicators:

Unexpected user creation events
HTTP requests to user management endpoints from unauthorized sources
Failed authentication attempts followed by successful user creation

Network Indicators:

HTTP POST requests to /api/v2/cmdb/system/admin/user with privilege escalation parameters
Unusual traffic patterns to FortiExtender management interface

SIEM Query:

source="fortiextender" AND (event_type="user_creation" OR uri_path="/api/v2/cmdb/system/admin/user")

📊 Metadata

CVE ID: CVE-2024-23663

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-284

Published: July 9, 2024

Last Updated: November 21, 2024

🔗 References

https://fortiguard.com/psirt/FG-IR-23-459 Vendor Advisory
https://fortiguard.com/psirt/FG-IR-23-459 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-23663, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Fortiextender Firmware by Fortinet

Fortiextender Firmware by Fortinet

Fortiextender Firmware by Fortinet

Fortiextender Firmware by Fortinet

Fortiextender Firmware by Fortinet

Fortiextender Firmware by Fortinet

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Management Access

Disable Unused Services

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities