CVE-2024-46670
📋 TL;DR
An out-of-bounds read vulnerability in FortiOS IPsec IKE service allows unauthenticated remote attackers to trigger memory consumption leading to denial of service via crafted requests. Affected systems include FortiOS versions 7.6.0, 7.4.4 and below, 7.2.9 and below, and FortiSASE FortiOS tenant version 24.3.b.
💻 Affected Systems
- FortiOS
- FortiSASE FortiOS tenant
📦 What is this software?
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption of IPsec VPN functionality, potentially affecting remote access and site-to-site connectivity.
Likely Case
Degraded performance or temporary unavailability of IPsec services due to memory exhaustion.
If Mitigated
Minimal impact with proper network segmentation and monitoring in place.
🎯 Exploit Status
Exploitation requires crafting specific IPsec IKE requests to trigger the out-of-bounds read and memory consumption.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FortiOS 7.6.1, 7.4.5, 7.2.10, and later versions; FortiSASE FortiOS tenant 24.4 and later
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-24-266
Restart Required: No
Instructions:
1. Log into FortiGate/FortiSASE management interface. 2. Navigate to System > Firmware. 3. Check for available updates. 4. Download and install the patched version. 5. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable IPsec IKE service if not needed
allTemporarily disable IPsec VPN functionality to eliminate attack surface.
config vpn ipsec phase1-interface
edit <interface_name>
set status down
end
Restrict access to IPsec services
allApply firewall policies to limit which source IPs can access IPsec services.
config firewall policy
edit <policy_id>
set srcaddr <trusted_networks>
end
🧯 If You Can't Patch
- Implement network segmentation to isolate IPsec services from untrusted networks.
- Deploy intrusion prevention systems (IPS) with signatures for this CVE if available.
🔍 How to Verify
Check if Vulnerable:
Check FortiOS version via CLI: 'get system status' and compare against affected versions.Check Version:
get system status | grep VersionVerify Fix Applied:
Verify installed version is 7.6.1, 7.4.5, 7.2.10 or higher, or FortiSASE tenant 24.4+.📡 Detection & Monitoring
Log Indicators:
- Unusual memory consumption spikes in IPsec processes
- Multiple failed IPsec IKE negotiation attempts from single sources
- Log entries indicating IPsec service crashes or restarts
Network Indicators:
- Abnormal volume of IPsec IKE packets (UDP port 500/4500) from suspicious sources
- IPsec tunnel establishment failures following pattern
SIEM Query:
source="fortigate" ("ipsec" AND ("memory" OR "crash" OR "restart")) OR (dest_port=500 OR dest_port=4500) AND src_ip NOT IN [trusted_nets]