CVE-2024-32124
📋 TL;DR
An improper access control vulnerability in FortiIsolator's logging component allows authenticated read-only users to alter logs via crafted HTTP requests. This affects FortiIsolator versions 2.4.4, 2.4.3, and all 2.3 versions. Attackers with read-only access can manipulate audit trails and potentially cover malicious activity.
💻 Affected Systems
- FortiIsolator
📦 What is this software?
Fortiisolator by Fortinet
Fortiisolator by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Attackers could delete or modify security logs to hide evidence of other attacks, enabling persistent undetected access and compromising forensic investigations.
Likely Case
Malicious insiders or compromised accounts with read-only access could tamper with audit logs to obscure unauthorized activities.
If Mitigated
With proper access controls and monitoring, log tampering would be detected and limited to authorized administrative functions.
🎯 Exploit Status
Exploitation requires authenticated access but uses simple HTTP requests. No public exploit code has been disclosed as of the advisory date.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Upgrade to FortiIsolator version 2.4.5 or later
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-24-045
Restart Required: Yes
Instructions:
1. Download FortiIsolator version 2.4.5 or later from Fortinet support portal. 2. Backup current configuration. 3. Apply the firmware update through the administrative interface. 4. Reboot the device as required. 5. Verify the update was successful.
🔧 Temporary Workarounds
Restrict access to logging interface
allLimit network access to the FortiIsolator logging component to only trusted administrative networks.
Implement strict access controls
allReview and minimize accounts with access to the logging component, ensuring only necessary administrative roles have write permissions.
🧯 If You Can't Patch
- Implement external log forwarding to a secure SIEM where logs cannot be modified by FortiIsolator users
- Enable comprehensive audit logging of all administrative actions on the FortiIsolator device itself
🔍 How to Verify
Check if Vulnerable:
Check FortiIsolator version via web interface: System > Dashboard > System Information, or CLI: 'get system status'Check Version:
get system status | grep VersionVerify Fix Applied:
Confirm version is 2.4.5 or later using same methods, then test that read-only users cannot modify logs via HTTP requests📡 Detection & Monitoring
Log Indicators:
- Unexpected log modifications or deletions
- HTTP requests to logging endpoints from read-only accounts
- Log entries with suspicious timestamps or missing expected data
Network Indicators:
- HTTP POST/PUT requests to logging API endpoints from non-admin accounts
- Unusual patterns of requests to /log/ or similar paths
SIEM Query:
source="fortiisolator" AND (http_method="POST" OR http_method="PUT") AND uri="/log/*" AND user_role="read-only"