3.1 CVE-2024-50565
A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0.0 through 7.0.14, 6.4.0 through 6.4.15 and 6.2.0 through 6.2.16, Fortinet FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9, 7.0.0 through 7.0.15 and 2.0.0 through 2.0.14, Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and 6.2.0 through 6.2.13, Fortinet FortiAnalyzer version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and 6.2.0 through 6.2.13, Fortinet FortiVoice version 7.0.0 through 7.0.2, 6.4.0 through 6.4.8 and 6.0.0 through 6.0.12 and Fortinet FortiWeb version 7.4.0 through 7.4.2, 7.2.0 through 7.2.10, 7.0.0 through 7.0.10 allows an unauthenticated attacker in a man-in-the-middle position to impersonate the management device (FortiCloud server or/and in certain conditions, FortiManager), via intercepting the FGFM authentication request between the management device and the managed device
https://nvd.nist.gov/vuln/detail/CVE-2024-50565
Categories
CWE-300 : Channel Accessible by Non-Endpoint
In order to establish secure communication between two parties, it is often important to adequately verify the identity of entities at each end of the communication channel. Inadequate or inconsistent verification may result in insufficient or incorrect identification of either communicating entity. This can have negative consequences such as misplaced trust in the entity at the other end of the channel. An attacker can leverage this by interposing between the communicating entities and masquerading as the original entity. In the absence of sufficient verification of identity, such an attacker can eavesdrop and potentially modify the communication between the original entities.
References
CPE
| cpe |
start |
end |
| Configuration 1 |
| cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:* |
>= 7.4.0 |
< 7.4.3 |
| Configuration 2 |
| cpe:2.3:a:fortinet:fortivoice:*:*:*:*:*:*:*:* |
>= 6.0.0 |
< 6.4.9 |
| cpe:2.3:a:fortinet:fortivoice:*:*:*:*:*:*:*:* |
>= 7.0.0 |
< 7.0.3 |
| Configuration 3 |
| cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* |
>= 2.0.0 |
< 7.0.16 |
| cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* |
>= 7.2.0 |
< 7.2.10 |
| cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:* |
>= 7.4.0 |
< 7.4.3 |
| Configuration 4 |
| cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* |
>= 6.4.0 |
< 7.0.16 |
| cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* |
>= 7.2.0 |
< 7.2.9 |
| cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* |
>= 7.4.0 |
< 7.4.5 |
| Configuration 5 |
| cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:* |
>= 6.2.0 |
< 6.2.14 |
| cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:* |
>= 6.4.0 |
< 6.4.15 |
| cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:* |
>= 7.0.0 |
< 7.0.12 |
| cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:* |
>= 7.2.0 |
< 7.2.5 |
| cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:* |
>= 7.4.0 |
< 7.4.3 |
| Configuration 6 |
| cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:* |
>= 6.2.0 |
< 6.2.14 |
| cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:* |
>= 6.4.0 |
< 6.4.15 |
| cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:* |
>= 7.0.0 |
< 7.0.12 |
| cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:* |
>= 7.2.0 |
< 7.2.5 |
| cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:* |
>= 7.4.0 |
< 7.4.3 |
REMEDIATION
EXPLOITS
Exploit-db.com
| id |
description |
date |
|
| No known exploits |
POC Github
Other Nist (github, ...)
CAPEC
Common Attack Pattern Enumerations and Classifications
| id |
description |
severity |
| 466 |
Leveraging Active Adversary in the Middle Attacks to Bypass Same Origin Policy
An attacker leverages an adversary in the middle attack (CAPEC-94) in order to bypass the same origin policy protection in the victim's browser. This active adversary in the middle attack could be launched, for instance, when the victim is connected to a public WIFI hot spot. An attacker is able to intercept requests and responses between the victim's browser and some non-sensitive website that does not use TLS. |
Medium |
| 57 |
Utilizing REST's Trust in the System Resource to Obtain Sensitive Data
This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated. [Find a REST-style application that uses SSL] The adversary must first find a REST-style application that uses SSL to target. Because this attack is easier to carry out from inside of a server network, it is likely that an adversary could have inside knowledge of how services operate. [Insert a listener to sniff client-server communication] The adversary inserts a listener that must exist beyond the point where SSL is terminated. This can be placed on the client side if it is believed that sensitive information is being sent to the client as a response, although most often the listener will be placed on the server side to listen for client authentication information. [Gather information passed in the clear] If developers have not hashed or encrypted data sent in the sniffed request, the adversary will be able to read this data in the clear. Most commonly, they will now have a username or password that they can use to submit requests to the web service just as an authorized user |
Very High |
| 589 |
DNS Blocking
An adversary intercepts traffic and intentionally drops DNS requests based on content in the request. In this way, the adversary can deny the availability of specific services or content to the user even if the IP address is changed. |
|
| 590 |
IP Address Blocking
An adversary performing this type of attack drops packets destined for a target IP address. The aim is to prevent access to the service hosted at the target IP address. |
High |
| 612 |
WiFi MAC Address Tracking
In this attack scenario, the attacker passively listens for WiFi messages and logs the associated Media Access Control (MAC) addresses. These addresses are intended to be unique to each wireless device (although they can be configured and changed by software). Once the attacker is able to associate a MAC address with a particular user or set of users (for example, when attending a public event), the attacker can then scan for that MAC address to track that user in the future. |
Low |
| 613 |
WiFi SSID Tracking
In this attack scenario, the attacker passively listens for WiFi management frame messages containing the Service Set Identifier (SSID) for the WiFi network. These messages are frequently transmitted by WiFi access points (e.g., the retransmission device) as well as by clients that are accessing the network (e.g., the handset/mobile device). Once the attacker is able to associate an SSID with a particular user or set of users (for example, when attending a public event), the attacker can then scan for this SSID to track that user in the future. |
Low |
| 615 |
Evil Twin Wi-Fi Attack
Adversaries install Wi-Fi equipment that acts as a legitimate Wi-Fi network access point. When a device connects to this access point, Wi-Fi data traffic is intercepted, captured, and analyzed. This also allows the adversary to use "adversary-in-the-middle" (CAPEC-94) for all communications. |
Low |
| 662 |
Adversary in the Browser (AiTB)
The adversary tricks the victim into installing the Trojan Horse malware onto their system. The adversary inserts themself into the communication channel initially acting as a routing proxy between the two targeted components. The adversary observes, filters, or alters passed data of their choosing to gain access to sensitive information or to manipulate the actions of the two target components for their own purposes. |
Very High |
| 94 |
Adversary in the Middle (AiTM)
[Determine Communication Mechanism] The adversary determines the nature and mechanism of communication between two components, looking for opportunities to exploit. [Position In Between Targets] The adversary inserts themself into the communication channel initially acting as a routing proxy between the two targeted components. [Use Intercepted Data Maliciously] The adversary observes, filters, or alters passed data of its choosing to gain access to sensitive information or to manipulate the actions of the two target components for their own purposes. |
Very High |
MITRE
Techniques
| id |
description |
| T1040 |
Network Sniffing |
| T1185 |
Browser Session Hijacking |
| T1557 |
Adversary-in-the-Middle |
| © 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. |
Mitigations
| id |
description |
| M1018 |
In cloud environments, ensure that users are not granted permissions to create or modify traffic mirrors unless this is explicitly required. |
| M1017 |
Close all browser sessions regularly and when they are no longer needed. |
| M1017 |
Train users to be suspicious about certificate errors. Adversaries may use their own certificates in an attempt to intercept HTTPS traffic. Certificate errors may arise when the application’s certificate does not match the one expected by the host. |
| © 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation. |
Cybersecurity needs ?
Strengthen software security from the outset with our DevSecOps expertise
Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.
Discover this offer
