CVE-2024-36510
📋 TL;DR
This vulnerability allows unauthenticated attackers to enumerate valid user accounts on Fortinet products by observing differences in login response behavior. Attackers can identify which usernames exist in the system, facilitating targeted credential attacks. Affected systems include FortiClientEMS and FortiSOAR across multiple versions.
💻 Affected Systems
- FortiClientEMS
- FortiSOAR
📦 What is this software?
Fortisoar by Fortinet
Fortisoar by Fortinet
Fortisoar by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Attackers build a complete list of valid usernames, then conduct targeted password attacks leading to account compromise and potential lateral movement.
Likely Case
Attackers identify administrative or service accounts, then attempt credential stuffing or brute-force attacks against those specific accounts.
If Mitigated
Attackers can enumerate users but cannot proceed further due to strong authentication controls like MFA and account lockout policies.
🎯 Exploit Status
Exploitation requires only network access to the login endpoint and ability to observe response differences.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FortiClientEMS 7.4.1, 7.2.5, 7.0.10; FortiSOAR 7.5.1, 7.4.5, 7.3.3, 7.2.3, 7.0.3, 6.4.5
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-24-071
Restart Required: Yes
Instructions:
1. Download appropriate patch version from Fortinet support portal. 2. Backup current configuration. 3. Apply patch following vendor instructions. 4. Restart services. 5. Verify patch installation.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict access to login endpoints to trusted IP ranges only
Rate Limiting
allImplement rate limiting on authentication endpoints to slow enumeration
🧯 If You Can't Patch
- Implement network segmentation to restrict access to affected systems
- Enable multi-factor authentication for all user accounts
🔍 How to Verify
Check if Vulnerable:
Test login endpoint with valid and invalid usernames; observe if response differs (requires ethical testing authorization)Check Version:
Check web interface or CLI for version information specific to each productVerify Fix Applied:
After patching, test that both valid and invalid usernames return identical response patterns📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts with different usernames from same source
- Unusual pattern of authentication requests
Network Indicators:
- High volume of POST requests to login endpoints
- Requests from unexpected IP ranges
SIEM Query:
source="forticlientems" OR source="fortisoar" AND (event_type="authentication" OR url_path="/login") | stats count by src_ip, username | where count > threshold