Blog
>
Research
8
 Min read

Vulnerability Spotlight: Reverse Analysis of FortiOS Vulnerability CVE-2024-21762 Explained

Published on 
Mar 7, 2024
Delve into our in-depth investigation of FortiOS vulnerability CVE-2024-21762, where we employed reverse analysis techniques to uncover critical flaws

On 08/02/2024 we stumbled upon a new vulnerability in FortiOS (CVE-2024-21762) published by Fortinet PSIRT Advisory (Reference: https://www.fortiguard.com/psirt/FG-IR-24-015). In the first moment we thought that the vulnerability was related to older vulnerabilities, but to be sure and protected we decided to investigate further.

Methodology

We started by analyzing one of the older versions that was vulnerable to this vulnerability, with a new firmware version that according to Fortinet had the patch applied. 

In this process we used Bindiff to compare the two different firmware versions. FortiOS embeds all the binaries in a monolithic big binary called “init”. 

From Bindiff with Ghidra we were able to identify the differences between the unpatched and patched version.

From here we can understand that there were some differences. We checked all the function changes, and identified two as the most important that would trigger this vulnerability.

We already knew what to search, as per Fortinet Advisory the vulnerability was described as Out of Bound Write. So we were looking for Improper Input validation to find this vulnerability.

Voila, we were able to find the vulnerability in the code.

The first function: The param_1 variable is checked to see if it's equal to 0. If it is, the program logs an assertion failure and terminates. However, if param_1 is not properly validated and a user can set it to a different parameter other than 0, it could lead to unexpected behavior. For instance, if the program logic relies on param_1 being 0 to execute certain critical operations or checks, bypassing this check by setting param_1 to a different value could lead to unintended behavior or security vulnerabilities.

The second function: The function attempts to create directories. If the input on one of the parameters is controlled by an attacker, they might be able to perform directory traversal attacks by manipulating the path to access or modify sensitive files outside the intended directory structure.

Same parameter was used in both functions.

Dynamic Analysis

The Advisory was telling that the vulnerability is in the SSL VPN module. There are not a lot of public endpoints in SSL. We tried different requests in /remote but no luck with it.

As we were searching on it, Bishop Fox again released a Vulnerability Scanner for this version. (Reference: https://bishopfox.com/blog/cve-2024-21762-vulnerability-scanner-for-fortigate-firewalls). 

Checking the scanner we found a bunch of useful information that could help us further in our research. It seems related to the improper Input validation that we discovered earlier on function 1. 

The vulnerability is triggered when the chunked data body is not zero. We checked the possible paths where chunked requests could be sent and we discovered that public endpoints don’t support chunked requests. 

So to exploit this vulnerability would require to send a chunked request to any path under /remote via POST.

This callbacks to something else that we know, HTTP Request Smuggling in HTTP/1.1. 

HTTP Request Smuggling 

The front-end server uses the Content-Length header and the back-end server uses the Transfer-Encoding header. The front-end server processes the Content-Length header and determines the request body. This request is forwarded on to the back-end server. The back-end server processes the Transfer-Encoding header, and so treats the message body as using chunked encoding. It processes the first chunk, which is stated to be zero length, and so is treated as terminating the request. The following bytes are left unprocessed, and the back-end server will treat these as being the start of the next request in the sequence. (Reference: https://portswigger.net/web-security/request-smuggling).

Conclusion

This vulnerability is proved to have a high impact and the other exploitation paths can be Stack Buffer Overflow and Remote Code Execution. The administrators of these devices have to make sure that  the SSL VPN is turned off or patched to the latest version as is exploitable. 

Sphere Detection

In February we also started monitoring scanners searching for Fortigate SSL VPN instances with our proprietary tool Sphere. 

From the graph below we can deduce that after this advisory there has been an increase in the scanners looking for Fortigate SSL VPN instances. According to Fortinet Advisory this is being potentially exploited in the wild. 

Disclaimer

We conducted these tests because we are users and Service providers for Fortinet. With no information about the vulnerability we decided to check because wanted to be sure if it was an exploitable vulnerability or just something else being patched and prompting administrators to a new version. 

The information that we have gathered and analyzed is provided as it is with no warranty that is 100% certain.

Other Articles

Shodan, usage and how to be protected
Research

Shodan, usage and how to be protected

Traditional search engines like Google index websites and return web sites and web content. Shodan index IoT devices and returns publicly accessible information about them rather than website content.

Brenton
Brenton
2
 min read
Dec 19, 2023
Sphere's Threat Intelligence Detects CVE-2023-20198 Exploit: Urging Immediate Cybersecurity Action
Cyberthreats

Sphere's Proactive Detection Shields Against CVE-2023-20198 Exploitation

Sphere's proprietary threat intelligence tool has detected active exploitation of CVE-2023-20198, highlighting its critical role in cybersecurity vigilance. This detection, alongside advisories from Cisco Talos, underscores the urgent need for users to apply recommended patches and enhance network monitoring to protect against sophisticated cyber threats.

Brenton
Brenton
3
 min read
Dec 19, 2023
Real Estate Industry and Cybersecurity
Cybersecurity Awareness

Real Estate Industry and Cybersecurity

In recent years, the frequency and severity of hacker attacks have risen significantly. Ransomware attacks have been especially disruptive, as cybercriminals seize critical data and demand exorbitant payments for its release. This not only extorts money but also causes significant disruptions to business operations, and in some cases, even endangers lives.

Rei
Rei
5
 min read
Dec 19, 2023
Raising Awareness and the Role of Independent Auditors
Cybersecurity Awareness

Raising Awareness and the Role of Independent Auditors

Tirana International Hotel, June 30, 2023, IEKA (Institute of Registered Accounting Experts) held an important seminar on cyber security. The event highlighted the challenges of increasing cyber risk and highlighted the key role of independent auditors in identifying and mitigating these risks

Xheni
Xheni
2
 min read
Dec 19, 2023
View all
By clicking "Accept" you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.
DenyAccept