CVE-2024-46670 in FortiOS
Summary
by MITRE • 01/14/2025
An Out-of-bounds Read vulnerability [CWE-125] in FortiOS version 7.6.0, version 7.4.4 and below, version 7.2.9 and below and FortiSASE FortiOS tenant version 24.3.b IPsec IKE service may allow an unauthenticated remote attacker to trigger memory consumption leading to Denial of Service via crafted requests.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/01/2025
The vulnerability identified as CVE-2024-46670 represents a critical out-of-bounds read flaw classified under CWE-125 within FortiOS implementations. This security weakness affects multiple versions of the Fortinet FortiOS operating system including 7.6.0, 7.4.4 and below, 7.2.9 and below, as well as the FortiSASE FortiOS tenant version 24.3.b. The issue specifically targets the IPsec IKE service component which is fundamental to establishing secure communication tunnels between network devices. The vulnerability manifests when the system processes crafted malicious requests that exploit improper bounds checking in memory access operations.
The technical implementation of this vulnerability stems from inadequate input validation within the IPsec IKE service handler. When an unauthenticated remote attacker sends specially crafted packets to the affected FortiOS device, the system attempts to read memory locations beyond the allocated buffer boundaries. This out-of-bounds memory access can trigger unpredictable behavior including system instability, memory corruption, or complete service disruption. The attack vector requires no authentication credentials, making it particularly dangerous as any external party can potentially exploit this weakness without prior access to the network infrastructure.
From an operational impact perspective, this vulnerability creates significant risk for organizations relying on FortiOS for network security. The denial of service condition can disrupt critical network communications, particularly affecting remote access capabilities and site-to-site VPN connections that depend on IPsec IKE functionality. Network administrators may experience extended downtime while investigating and resolving the service disruption, potentially impacting business continuity and operational efficiency. The vulnerability's potential for memory consumption escalation means that sustained attacks could lead to complete system exhaustion and permanent service unavailability.
Security professionals should implement immediate mitigations including applying the latest Fortinet security patches released for affected versions. Network segmentation and access control measures can help limit exposure by restricting direct internet access to affected IPsec IKE services. Monitoring network traffic for suspicious patterns and implementing intrusion detection systems can provide early warning of exploitation attempts. Organizations should also consider disabling unnecessary IPsec IKE services when not actively required and maintain comprehensive network logging to facilitate forensic analysis should an attack occur. The vulnerability aligns with ATT&CK technique T1499.004 for network denial of service and represents a critical threat to network availability and integrity within enterprise security infrastructures.