The Fortimanager from Fortinet is a Central Network Management solution that provides unified management of different Fortinet devices in a network. From the administrative dashboard of the software, users can access the Alert Message Console which gathers logs from linked Fortinet devices including the FortiManager instance itself.
During one of our security assessments, we identified the tested FortiManager instance as being vulnerable to Log Pollution in the aforementioned Alert Message Console. This issue has been reported to Fortinet and disclosed under CVE-2024-52962, for affected versions see their PSIRT release at https://www.fortiguard.com/psirt/FG-IR-24-453.
Log Pollution - CVE-2024-52962
By sending a crafted payload in the username field, which results in a failed login attempt, it was possible for an unauthenticated attacker to create arbitrary log messages in the Alert Message Console on the admin dashboard.
The normal behavior for failed logins is that the following entry is added in the Alert Message Console. This example is made with the username offensity and from the IP address 10.10.10.10.
'offensity' login failed from GUI(10.10.10.10), reason:Authentication failure. Please try again...It has been found during the assessment, that adding a double quote (" ) after the username resulted in the following trimmed log message:
'offensityAs there is nothing before the username in the log message except one single quote (' ), an attacker can put an arbitrary log message into the username field.
In the screenshot below, an attempt to login is made with a text value ending with a double quote (" ) in the username. An empty string is set on purpose in the password field in order to make the login attempt fail.
As a consequence, only the text string set for the username value appears in the created log entry.
This log pollution is carried out through the login failed event, meaning that an attacker does not need any valid credentials. As a consequence, because these logs could be blindly trusted by IT Administrators, attackers could then try to run social engineering attacks through these crafted entries. These logs can also provide false information in a forensic investigation.
Timeline
16.10.2024 - Vulnerability was reported to Fortinet.
17.10.2024 - First response from the vendor.
29.10.2024 - Fortinet reproduced the issue.
25.11.2024 - Fortinet informed us about the timeline for fixing.
08.04.2025 - Security Advisory for CVE-2024-52962 was published by Fortinet: https://www.fortiguard.com/psirt/FG-IR-24-453
