CVE-2024-23664
📋 TL;DR
This CVE describes an open redirect vulnerability in Fortinet FortiAuthenticator that allows attackers to craft malicious URLs that redirect users to arbitrary, potentially malicious websites. The vulnerability affects FortiAuthenticator versions 6.6.0, 6.5.3 and below, and 6.4.9 and below. This could be used in phishing campaigns or to redirect users to malware distribution sites.
💻 Affected Systems
- Fortinet FortiAuthenticator
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could redirect authenticated users to malicious sites that steal credentials, install malware, or conduct sophisticated phishing attacks, potentially leading to full system compromise.
Likely Case
Attackers use crafted URLs in phishing emails or messages to redirect users to fake login pages or malware distribution sites, leading to credential theft or malware infections.
If Mitigated
With proper URL validation and user awareness training, impact is limited to failed phishing attempts with minimal damage.
🎯 Exploit Status
Open redirect vulnerabilities are commonly exploited in phishing campaigns and require minimal technical skill to weaponize.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.6.1, 6.5.4, 6.4.10
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-23-465
Restart Required: Yes
Instructions:
1. Log into FortiAuthenticator admin interface. 2. Navigate to System > Dashboard. 3. Check for available firmware updates. 4. Download and install the appropriate patched version (6.6.1, 6.5.4, or 6.4.10). 5. Reboot the appliance after installation completes.
🔧 Temporary Workarounds
Implement WAF rules
allConfigure web application firewall rules to block or sanitize redirect URLs containing external domains.
Depends on specific WAF platform - configure rules to validate redirect URLs
Restrict network access
allLimit network access to FortiAuthenticator to trusted IP ranges only.
Configure firewall rules to restrict access to FortiAuthenticator management interface
🧯 If You Can't Patch
- Implement strict URL validation at network perimeter to block malicious redirect patterns
- Deploy email security solutions that scan for and block phishing URLs containing FortiAuthenticator domains
🔍 How to Verify
Check if Vulnerable:
Check FortiAuthenticator version via admin interface: System > Dashboard > System InformationCheck Version:
Not applicable - check via web interfaceVerify Fix Applied:
Verify version is updated to 6.6.1, 6.5.4, or 6.4.10 in System > Dashboard > System Information📡 Detection & Monitoring
Log Indicators:
- Unusual redirect patterns in web server logs
- Multiple failed redirect attempts
- Requests containing crafted redirect parameters
Network Indicators:
- HTTP 302 redirects to unexpected external domains
- Traffic patterns showing users being redirected to suspicious sites
SIEM Query:
source="fortiauthenticator" AND (url="*redirect=*" OR url="*url=*") AND dest_domain NOT IN (allowed_domains)