7.5 CVE-2024-26013
A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7.4.0 through 7.4.4, 7.2.0 through 7.2.8, 7.0.0 through 7.0.15, 6.4.0 through 6.4.15 and before 6.2.16, Fortinet FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9 and before 7.0.15, Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and before 6.2.13, Fortinet FortiAnalyzer version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and before 6.2.13, Fortinet FortiVoice version 7.0.0 through 7.0.2 before 6.4.8 and Fortinet FortiWeb before 7.4.2 may allow an unauthenticated attacker in a man-in-the-middle position to impersonate the management device (FortiCloud server or/and in certain conditions, FortiManager), via intercepting the FGFM authentication request between the management device and the managed device
https://nvd.nist.gov/vuln/detail/CVE-2024-26013
Categories
CWE-923 : Improper Restriction of Communication Channel to Intended Endpoints
The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) S-bus functionality in a home automation product performs access control using an IP allowlist, which can be bypassed by a forged IP address. A troubleshooting tool exposes a web server on a random port between 9000-65535 that could be used for information gathering A WAN interface on a router has firewall restrictions enabled for IPv4, but it does not for IPv6, which is enabled by default Product has a Silverlight cross-domain policy that does not restrict access to another application, which allows remote attackers to bypass the Same Origin Policy. Mobile banking application does not verify hostname, leading to financial loss. chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversry-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint). DNS server can accept DNS updates from hosts that it did not query, leading to cache poisoning
References
CPE
| cpe |
start |
end |
| Configuration 1 |
| cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:* |
>= 6.2.0 |
< 6.2.14 |
| cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:* |
>= 6.4.0 |
< 6.4.15 |
| cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:* |
>= 7.0.0 |
< 7.0.12 |
| cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:* |
>= 7.2.0 |
< 7.2.5 |
| cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:* |
>= 7.4.0 |
< 7.4.3 |
| Configuration 2 |
| cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:* |
>= 6.2.0 |
< 6.2.14 |
| cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:* |
>= 6.4.0 |
< 6.4.15 |
| cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:* |
>= 7.0.0 |
< 7.0.12 |
| cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:* |
>= 7.2.0 |
< 7.2.5 |
| cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:* |
>= 7.4.0 |
< 7.4.3 |
| Configuration 3 |
| cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* |
>= 6.4.0 |
< 7.0.16 |
| cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* |
>= 7.2.0 |
< 7.2.9 |
| cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* |
>= 7.4.0 |
< 7.4.5 |
| Configuration 4 |
| cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* |
>= 2.0.0 |
< 7.0.16 |
| cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* |
>= 7.2.0 |
< 7.2.10 |
| cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* |
>= 7.4.0 |
< 7.4.3 |
| Configuration 5 |
| cpe:2.3:a:fortinet:fortivoice:*:*:*:*:*:*:*:* |
>= 6.0.0 |
< 6.4.9 |
| cpe:2.3:a:fortinet:fortivoice:*:*:*:*:*:*:*:* |
>= 7.0.0 |
< 7.0.3 |
| Configuration 6 |
| cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:* |
>= 7.4.0 |
< 7.4.3 |
REMEDIATION
EXPLOITS
Exploit-db.com
| id |
description |
date |
|
| No known exploits |
POC Github
Other Nist (github, ...)
CAPEC
Common Attack Pattern Enumerations and Classifications
| id |
description |
severity |
| 161 |
Infrastructure Manipulation
An attacker exploits characteristics of the infrastructure of a network entity in order to perpetrate attacks or information gathering on network objects or effect a change in the ordinary information flow between network objects. Most often, this involves manipulation of the routing of network messages so, instead of arriving at their proper destination, they are directed towards an entity of the attackers' choosing, usually a server controlled by the attacker. The victim is often unaware that their messages are not being processed correctly. For example, a targeted client may believe they are connecting to their own bank but, in fact, be connecting to a Pharming site controlled by the attacker which then collects the user's login information in order to hijack the actual bank account. |
High |
| 481 |
Contradictory Destinations in Traffic Routing Schemes
Adversaries can provide contradictory destinations when sending messages. Traffic is routed in networks using the domain names in various headers available at different levels of the OSI model. In a Content Delivery Network (CDN) multiple domains might be available, and if there are contradictory domain names provided it is possible to route traffic to an inappropriate destination. The technique, called Domain Fronting, involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. An alternative technique, called Domainless Fronting, is similar, but the SNI field is left blank. |
High |
| 501 |
Android Activity Hijack
An adversary intercepts an implicit intent sent to launch a Android-based trusted activity and instead launches a counterfeit activity in its place. The malicious activity is then used to mimic the trusted activity's user interface and prompt the target to enter sensitive data as if they were interacting with the trusted activity. [Find an android application that uses implicit intents] Since this attack only works on android applications that use implicit intents, rather than explicit intents, an adversary must first identify an app that uses implicit intents to launch an Android-based trusted activity, and what that activity is. [Create a malicious app] The adversary must create a malicious android app meant to intercept implicit intents to launch an Adroid-based trusted activity. This malicious app will mimic the trusted activiy's user interface to get the user to enter sensitive data. [Get user to download malicious app] The adversary must get a user using the targeted app to download the malicious app by any means necessary [Gather sensitive data through malicious app] Once the target application sends an implicit intent to launch a trusted activity, the malicious app will be launched instead that looks identical to the interface of that activity. When the user enters sensitive information it will be captured by the malicious app. |
Medium |
| 697 |
DHCP Spoofing
[Determine Exsisting DHCP lease] An adversary observes network traffic and waits for an existing DHCP lease to expire on a target machine in the LAN. [Capture the DHCP DISCOVER message] The adversary captures "DISCOVER" messages and crafts "OFFER" responses for the identified target MAC address. The success of this attack centers on the capturing of and responding to these "DISCOVER" messages. [Compromise Network Access and Collect Network Activity] An adversary successfully acts as a rogue DHCP server by redirecting legitimate DHCP requests to itself. |
High |
MITRE
Techniques
| id |
description |
| T1090.004 |
Proxy:Domain Fronting |
| T1557.003 |
Adversary-in-the-Middle: DHCP Spoofing |
| © 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. |
Mitigations
| id |
description |
| M1020 |
If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be domain fronting. |
| M1031 |
Network intrusion detection and prevention systems that can identify traffic patterns indicative of AiTM activity can be used to mitigate activity at the network level. |
| © 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation. |
Cybersecurity needs ?
Strengthen software security from the outset with our DevSecOps expertise
Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.
Discover this offer
