CVE-2024-45327
📋 TL;DR
An improper authorization vulnerability in FortiSOAR's change password endpoint allows authenticated attackers to perform brute force attacks against user and administrator passwords. This affects FortiSOAR versions 7.4.0-7.4.3, 7.3.0-7.3.2, 7.2.0-7.2.2, and 7.0.0-7.0.3. Attackers can potentially compromise accounts by guessing passwords through crafted HTTP requests.
💻 Affected Systems
- FortiSOAR
📦 What is this software?
Fortisoar by Fortinet
Fortisoar by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of administrator accounts leading to full system takeover, data exfiltration, and lateral movement within the network.
Likely Case
Compromise of user accounts with limited privileges, potentially leading to unauthorized access to sensitive data and privilege escalation.
If Mitigated
Failed brute force attempts detected and blocked by security controls, with no account compromise.
🎯 Exploit Status
Exploitation requires authenticated access but uses simple HTTP requests. Attack tools can easily automate brute force attempts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.4.4, 7.3.3, 7.2.3, 7.0.4
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-24-048
Restart Required: Yes
Instructions:
1. Backup your FortiSOAR configuration. 2. Download the appropriate patched version from Fortinet support portal. 3. Follow Fortinet's upgrade documentation for your version. 4. Restart FortiSOAR services after upgrade.
🔧 Temporary Workarounds
Rate Limiting
allImplement rate limiting on the change password endpoint to prevent brute force attempts.
Configure rate limiting via FortiSOAR admin interface or underlying web server configuration
Network Segmentation
allRestrict access to FortiSOAR management interface to trusted IP addresses only.
Configure firewall rules to allow only authorized IPs to access FortiSOAR management ports
🧯 If You Can't Patch
- Implement strong password policies and multi-factor authentication to reduce brute force effectiveness
- Monitor authentication logs for suspicious password change attempts and failed login patterns
🔍 How to Verify
Check if Vulnerable:
Check FortiSOAR version via admin interface or command: csadm versionCheck Version:
csadm versionVerify Fix Applied:
Verify version is updated to 7.4.4, 7.3.3, 7.2.3, or 7.0.4 using csadm version command📡 Detection & Monitoring
Log Indicators:
- Multiple failed password change attempts from same IP/user
- Unusual patterns of password reset requests
- Successful password changes from unexpected locations
Network Indicators:
- High volume of POST requests to /api/v1/auth/change-password endpoint
- Requests with sequential password attempts
SIEM Query:
source="fortisoar" AND (url_path="/api/v1/auth/change-password" OR event_type="password_change") | stats count by src_ip, user