CVE-2024-55591 Scanner

Detects ‘Authentication Bypass’ vulnerability in Fortinet FortiOS affects v. 7.0.0 through 7.0.16 and FortiProxy v. 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12. This scanner helps identify unauthenticated access paths that may lead to super-admin privilege escalation.

Short Info


Level

Critical

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

20 days 9 hours

Scan only one

Domain, Subdomain, IPv4

Toolbox

-

Fortinet FortiOS is a popular network security operating system used in Fortinet products such as firewalls, VPNs, and unified threat management appliances. It is deployed in enterprise, government, and service provider environments to protect against a wide range of network threats. FortiProxy, a component of the Fortinet suite, is used to provide advanced web filtering, caching, and secure web access. These systems are typically managed by network administrators and security teams to ensure safe and reliable access control. Fortinet products are integrated into both on-premise and cloud-based environments. Due to their critical position in network security, vulnerabilities in Fortinet systems can pose significant risk to organizational infrastructure.

The vulnerability being tested is an authentication bypass caused by the use of an alternate path or channel to access administrative functions. This flaw allows a remote attacker to exploit the WebSocket module in Node.js to circumvent the normal authentication flow. As a result, the attacker can gain unauthorized access to protected interfaces. By exploiting this weakness, a malicious user may obtain super-admin privileges without prior authentication. This type of vulnerability is critical because it undermines the trust and security model of the system. The issue affects specific versions of FortiOS and FortiProxy, as outlined in the CVE description.

The vulnerability resides in how FortiOS and FortiProxy handle certain WebSocket upgrade requests. Specifically, sending a request to a crafted path such as `/watchTowr-` with WebSocket upgrade headers may allow bypassing authentication controls. The first HTTP request attempts to reach the login redirect page, and a second request tries to upgrade the connection to WebSocket. A successful bypass is identified by specific strings in the HTTP response body and headers, as well as a 101 Switching Protocols response. The combination of HTTP status, content, and upgrade behavior confirms the existence of the vulnerability. Attackers can leverage this to access administrative endpoints without valid credentials. This scanner automates the detection by simulating the described attack flow.

If exploited, the vulnerability can allow unauthorized remote attackers to gain super-admin level access to the Fortinet device. This means full control over the device’s configuration, monitoring, and security enforcement features. Such unauthorized access could lead to severe breaches including modification of firewall rules, access to sensitive logs and data, and pivoting into internal networks. An attacker may disable security services, hide malicious activity, or use the compromised device to launch further attacks. In high-security environments, this can compromise the integrity of the entire network perimeter. As a critical issue, it requires immediate attention and remediation.

Get started to protecting your digital assets