Introduction
Attackers can force administrative logouts or escalate privileges in FortiIsolator deployments through crafted cookies, directly impacting security operations and policy control. Organizations relying on FortiIsolator for browser isolation and threat prevention must address this vulnerability to prevent disruption or unauthorized configuration changes.
Fortinet is a leading global cybersecurity vendor with a broad product portfolio, including FortiGate firewalls, FortiMail, and FortiIsolator. FortiIsolator provides browser isolation to protect users from web-based threats by executing web content in remote containers. The platform is widely used in enterprise environments to mitigate zero-day and phishing risks, making vulnerabilities in its authentication mechanisms especially significant for operational security.
Technical Information
CVE-2024-33507 is a compound vulnerability in FortiIsolator's authentication mechanism, combining insufficient session expiration (CWE-613) and incorrect authorization (CWE-863). The flaws are present in the following versions:
- 2.4.0 through 2.4.4
- All 2.3 releases
- 2.2.0
- All 2.1 releases
- All 2.0 releases
Mechanism:
-
Insufficient Session Expiration (CWE-613): The session management logic does not properly expire or validate session state. An unauthenticated remote attacker can craft a cookie that, when submitted to the authentication endpoint, causes active admin sessions to be deauthenticated. This results in forced logouts and denial of administrative access.
-
Incorrect Authorization (CWE-863): The authorization mechanism improperly trusts permission indicators in client-supplied cookies. An authenticated user with read-only access can modify their cookie to escalate privileges to write access, bypassing intended server-side permission checks. This enables unauthorized configuration changes and policy modifications.
No public code snippets or vulnerable code fragments are available. The root cause is reliance on client-side cookie data for both session validity and authorization, without sufficient server-side validation or cryptographic integrity checks.
Patch Information
Fortinet has addressed the OS command injection vulnerability in FortiSandbox by releasing updated versions that rectify the flaw. The vulnerability, identified as CWE-78, allowed authenticated users with at least read-only permissions to execute unauthorized commands through crafted requests.
To mitigate this issue, Fortinet recommends upgrading to the following versions:
- FortiSandbox 5.0: Not affected; no action required.
- FortiSandbox 4.4: Upgrade to version 4.4.5 or later.
- FortiSandbox 4.2: Upgrade to version 4.2.7 or later.
- FortiSandbox 4.0: Upgrade to version 4.0.5 or later.
- FortiSandbox 3.2 and earlier: These versions are affected; users should migrate to a fixed release.
For FortiSandbox Cloud users, Fortinet has remediated the issue in version 24.1 during Q3/24, and no further action is required.
To ensure your system is protected, it's crucial to verify your current FortiSandbox version and perform the necessary upgrades as outlined above.
Patch source: https://www.fortiguard.com/psirt/FG-IR-24-061
Affected Systems and Versions
- FortiIsolator 2.4.0 through 2.4.4
- All FortiIsolator 2.3 versions
- FortiIsolator 2.2.0
- All FortiIsolator 2.1 versions
- All FortiIsolator 2.0 versions
FortiIsolator version 3.0 and later are not affected.
Vendor Security History
Fortinet has a history of authentication and session management vulnerabilities across its products, with regular advisories and a mature PSIRT process. Previous issues include session expiration flaws in FortiSandbox and authentication bypasses in FortiOS and FortiProxy. The vendor's patch response is generally prompt, and advisories are detailed. CVE-2024-33507 was discovered internally, reflecting proactive security practices.