CVE-2024-46667
Published: 14 January 2025
Summary
CVE-2024-46667 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Fortinet Fortisiem. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2024-46667 is a vulnerability involving allocation of resources without limits or throttling, classified under CWE-770, affecting Fortinet FortiSIEM in all versions of 5.3 and 5.4, all 6.x versions, all 7.0 versions, and 7.1.0 through 7.1.5. The issue enables an attacker to consume all allotted connections, resulting in the denial of valid TLS traffic.
With a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), the vulnerability can be exploited remotely by unauthenticated attackers requiring low complexity and no user interaction. Exploitation leads to a denial-of-service condition by exhausting connections and blocking legitimate TLS traffic.
Mitigation details are available in the Fortinet PSIRT advisory at https://fortiguard.fortinet.com/psirt/FG-IR-24-164.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-42207
Vulnerability details
A allocation of resources without limits or throttling in Fortinet FortiSIEM 5.3 all versions, 5.4 all versions, 6.x all versions, 7.0 all versions, and 7.1.0 through 7.1.5 may allow an attacker to deny valid TLS traffic via consuming all allotted…
more
connections.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated resource exhaustion vuln directly enables exploitation of public-facing app (T1190) to achieve application DoS via system exploitation (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-6 requires mechanisms to protect system resources from unauthorized allocation and consumption, directly addressing the unlimited TLS connection allocation in FortiSIEM.
SC-5 mandates denial-of-service protections that limit the effects of resource exhaustion attacks like connection flooding targeting TLS traffic.
AC-10 limits concurrent sessions or connections, mitigating exhaustion of allotted TLS connections by enforcing usage quotas.