Fortinet FortiAnalyzer/FortiManager/FortiOS, Authentication Bypass Using an Alternate Path or Channel, Critical

Listen to this Post

The vulnerability is an authentication bypass in the FortiCloud SSO authentication mechanism. When enabled, the system fails to properly validate the association between a registered device and the specific FortiCloud account that registered it. An attacker with a valid FortiCloud account and a device registered to it can craft authentication requests that incorrectly authorize access to other devices registered under different, victim FortiCloud accounts. The flaw lies in the logic that checks the device-to-account binding during the SSO token validation process on the Fortinet appliance. Instead of ensuring the requesting user’s account owns the target device serial number, the system may accept a valid SSO token from any account for any registered device identifier, allowing lateral movement across customer environments.
Platform: Fortinet FortiAnalyzer/FortiManager/FortiOS
Version: 7.0.0-7.0.18/7.2.0-7.2.12/7.4.0-7.4.10/7.6.0-7.6.5
Vulnerability : Authentication Bypass
Severity: Critical (9.4)
date: Not Specified

Prediction: 2024-08-30

What Undercode Say:

curl -H "Authorization: Bearer <ATTACKER_FORTICLOUD_TOKEN>" https://<VICTIM_DEVICE_IP>/api/v2/cmdb/system/admin
Pseudo-code for flawed validation
def validate_sso_token(token, target_device_serial):
user_account = get_account_from_token(token) Attacker's account
Missing check: if target_device_serial in user_account.registered_devices
return generate_local_session(target_device_serial) Session granted incorrectly

How Exploit:

Attacker with FortiCloud account registers own device. Attacker obtains SSO token. Attacker targets victim device serial number known via information gathering. Attacker sends crafted request with their token and victim’s device ID. System bypasses account-device binding check, granting administrative access.

Protection from this CVE

Disable FortiCloud SSO.

Apply vendor patches immediately.

Implement network access controls.

Impact:

Unauthorized administrative access.

Complete system compromise.

Cross-account data breach.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: www.cve.org
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top