Warning: Two Critical Vulnerabilities Affect Multiple Fortinet Products
CVE-2024-21762 :CVSS 9.6 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-23113 :CVSS 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
UPDATE 2024-02-12: More vulnerable products added by Fortinet since 09/02/2024
Sources
https://www.fortiguard.com/psirt/FG-IR-24-015
https://www.fortiguard.com/psirt/FG-IR-24-029
Risks
Fortinet has released security patches to address two critical vulnerabilities that are affecting FortiOS.
The vulnerabilities have a low attack complexity, do not require user interaction and have a HIGH impact on Confidentiality, Integrity and Availability.
Fortinet as well as other sources have confirmed that CVE-2024-21762 is actively being exploited. It is expected that also CVE-2024-23113 will be used to compromise Fortinet products.
Earlier vulnerabilities were used to compromise Fortinet products to deploy malware, in particular CVE-2022-42475 and CVE-2023-27997. Fortinet warned about the active exploitation of these old vulnerabilities in their blog post “The Importance of Patching: An Analysis of the Exploitation of N-Day Vulnerabilities”.
Furthermore, this vulnerability has been observed being exploited in the wild by threat actors.
Description
CVE-2024-21762: Out-of-bounds write.
An out-of-bounds write vulnerability may allow a remote unauthenticated attacker to gain remote code execution via maliciously crafted HTTP requests.
CVE-2024-23113: Externally-controlled format string.
A use of externally-controlled format string vulnerability in the fgfmd daemon may allow a remote unauthenticated attacker to gain remote code execution via maliciously crafted HTTP requests.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends to follow Fortinet’s upgrade path using their dedicated tool at https://docs.fortinet.com/upgrade-tool.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, please report the incident via: https://cert.be/en/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
https://www.tenable.com/cve/CVE-2024-21762