CVE-2024-47570
📋 TL;DR
This vulnerability allows read-only administrators to retrieve API tokens of other administrators by examining REST API logs when REST API logging is enabled. This affects Fortinet's FortiOS, FortiProxy, FortiPAM, and FortiSRA products across multiple versions. The vulnerability requires REST API logging to be enabled, which is not the default configuration.
💻 Affected Systems
- FortiOS
- FortiProxy
- FortiPAM
- FortiSRA
📦 What is this software?
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortipam by Fortinet
Fortiproxy by Fortinet
Fortiproxy by Fortinet
Fortisase by Fortinet
Fortisra by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
An attacker with read-only admin access could steal API tokens, escalate privileges to full administrative control, and potentially compromise the entire network infrastructure.
Likely Case
A malicious insider or compromised read-only admin account could access sensitive API tokens, leading to unauthorized administrative actions and data breaches.
If Mitigated
With REST API logging disabled (default) and proper access controls, the risk is minimal as the vulnerability cannot be exploited.
🎯 Exploit Status
Exploitation requires read-only administrator access and REST API logging enabled. The attack involves simply reading log files.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FortiOS 7.4.4, 7.2.8, 7.0.14; FortiProxy 7.4.4, 7.2.12; FortiPAM 1.4.1, 1.3.2, 1.2.3, 1.1.3, 1.0.4; FortiSRA 1.4.1
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-24-268
Restart Required: Yes
Instructions:
1. Download the appropriate firmware update from Fortinet support portal. 2. Backup current configuration. 3. Apply firmware update via web interface or CLI. 4. Reboot device. 5. Verify version update.
🔧 Temporary Workarounds
Disable REST API Logging
allDisable REST API logging to prevent sensitive information from being written to logs.
config log setting
set rest-api-log disable
end
Restrict Log Access
allImplement strict access controls to prevent read-only administrators from accessing log files.
🧯 If You Can't Patch
- Disable REST API logging immediately if enabled
- Implement strict access controls and monitor for unauthorized log access attempts
🔍 How to Verify
Check if Vulnerable:
Check if REST API logging is enabled: 'diagnose debug config-error-log read' or check GUI under Log & Report > Log SettingsCheck Version:
get system status | grep VersionVerify Fix Applied:
Verify firmware version is patched and REST API logging is disabled📡 Detection & Monitoring
Log Indicators:
- Unauthorized access to log files
- Multiple API token retrieval attempts
- Suspicious log file access patterns
Network Indicators:
- Unusual API calls from read-only admin accounts
- Abnormal administrative activity patterns
SIEM Query:
source="fortigate" AND (event_type="log_access" OR event_type="api_call") AND user_role="read-only" AND resource="log_file"