CVE-2024-40591: Improper Privilege Assignment Vulnerability in Fortinet FortiOS Allows Unauthorized Super-Admin Access

A crucial security vulnerability, known as CVE-2024-40591, has been identified in Fortinet FortiOS versions 7.6., 7.4.-7.4.4, 7.2.-7.2.9, and prior to 7..15. This vulnerability, classified as Incorrect Privilege Assignment [CWE-266], can potentially be exploited by authenticated admin users with the Security Fabric permission to escalate their privileges to super-admin level. Attackers could take advantage of this flaw by connecting the targeted FortiGate to a malicious upstream FortiGate they control.

Vulnerability Details

The vulnerability CVE-2024-40591 is caused by an issue in Fortinet FortiOS, where authenticated admin users who possess the Security Fabric permission can cunningly escalate their privileges to super-admin status. This flaw can grant an attacker unauthorized access, allowing them to take control of the affected system. The vulnerable versions include 7.6., 7.4.-7.4.4, 7.2.-7.2.9, and any version before 7..15.

Here's a code snippet, illustrating how this vulnerability can be exploited once the appropriate permissions are obtained:

//assume admin user with Security Fabric permissions is authenticated
if(user.hasSecurityFabricPermission){
    //connect the targetted FortiGate to a malicious upstream FortiGate
    connectToUpstreamFortiGate(maliciousUpstreamFortiGate);

    //escalate privileges to super-admin
    user.escalatePrivilegeToSuperAdmin();	
}

Original references

- Fortinet Advisory
- NIST National Vulnerability Database (NVD)
- MITRE CVE Dictionary

An attacker would have to follow these steps to exploit this vulnerability

1. Ensure they have administrative access to the targeted FortiGate device and possess the Security Fabric permission.

Create and control a malicious upstream FortiGate to be connected to the targeted FortiGate device.

3. Employ the attack methodology, as illustrated in the code snippet above, to escalate their privileges to super-admin level.

Mitigations

Fortinet has addressed this vulnerability in their software updates. Users must upgrade the vulnerable systems to FortiOS version 7..15 or later, 7.2.10 or later, 7.4.5 or later, and 7.6.1 or later.

Additionally, organizations should adopt the following best practices to minimize the risk of such attacks:
- Follow the principle of least privilege, ensuring that users have only the minimum required permissions.
- Regularly audit access controls and accounts to detect any misconfigurations or unauthorized escalations.
- Monitor logs and network traffic to quickly identify any suspicious activity that could signal an ongoing attack.

Conclusion

CVE-2024-40591, an Improper Privilege Assignment Vulnerability in Fortinet FortiOS, can have serious security ramifications if not addressed promptly. By exploiting this flaw, authenticated admin users with Security Fabric permission could potentially escalate their privileges to super-admin level.

Organizations using Fortinet FortiOS should immediately update the software to the latest version to protect against this vulnerability. Implementing best practices and regularly auditing access controls can provide additional layers of security, preventing unauthorized escalations and potential attacks.

Timeline

Published on: 02/11/2025 17:15:22 UTC