CVE-2024-46668
📋 TL;DR
This CVE describes a resource exhaustion vulnerability in FortiOS where an unauthenticated remote attacker can cause a denial-of-service by uploading multiple large files, consuming all available system memory. The vulnerability affects FortiOS versions 6.4.0-6.4.15, 7.0.0-7.0.15, 7.2.0-7.2.8, and 7.4.0-7.4.4. Organizations using these vulnerable FortiOS versions on their FortiGate devices are at risk.
💻 Affected Systems
- FortiOS
📦 What is this software?
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Complete system crash and denial-of-service, rendering the FortiGate device unavailable and disrupting all network traffic passing through it.
Likely Case
Degraded performance leading to network disruption, potential service outages, and possible bypass of security controls during memory exhaustion.
If Mitigated
Minimal impact with proper network segmentation, rate limiting, and monitoring in place to detect and block excessive upload attempts.
🎯 Exploit Status
Exploitation requires no authentication and involves simple repeated file uploads, making this relatively easy to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FortiOS 7.4.5, 7.2.9, 7.0.16, 6.4.16
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-24-219
Restart Required: No
Instructions:
1. Download the appropriate firmware version from the Fortinet support portal. 2. Backup current configuration. 3. Upload and install the firmware update via GUI or CLI. 4. Verify the update was successful.
🔧 Temporary Workarounds
Implement upload rate limiting
allConfigure rate limiting for file uploads to prevent excessive requests from a single source.
config firewall policy
edit <policy_id>
set utm-status enable
set av-profile <profile_name>
set dlp-sensor <sensor_name>
set ips-sensor <sensor_name>
set application-list <list_name>
set logtraffic all
next
end
Restrict file upload sources
allLimit file upload functionality to trusted IP addresses or networks only.
config firewall policy
edit <policy_id>
set srcaddr <trusted_address>
set dstaddr <destination_address>
set service <service_name>
set action accept
next
end
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vulnerable devices from untrusted networks.
- Deploy network-based intrusion prevention systems (IPS) to detect and block excessive file upload attempts.
🔍 How to Verify
Check if Vulnerable:
Check FortiOS version via CLI: 'get system status' or GUI: System > Dashboard > System Information.Check Version:
get system status | grep VersionVerify Fix Applied:
Verify the installed version is 7.4.5, 7.2.9, 7.0.16, or 6.4.16 or later using 'get system status' command.📡 Detection & Monitoring
Log Indicators:
- Multiple large file upload attempts from single source IP
- Memory usage spikes in system logs
- Denial-of-service alerts in event logs
Network Indicators:
- Unusually high volume of file upload traffic to FortiGate management interfaces
- Multiple large HTTP POST requests to upload endpoints
SIEM Query:
source="fortigate" (event_type="traffic" AND file_size>10000000) | stats count by src_ip