www.belgium.be Logo of the federal government

Warning: Two Critical Vulnerabilities Affect Multiple Fortinet Products

Referentie: 
Advisory #2024-24
Versie: 
2.1
Geïmpacteerde software: 
FortiOS: 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0 all versions
FortiProxy: 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2 all versions, 1.1 all versions, 1.0 all versions
FortiPAM: 1.20, 1.1.0 through 1.1.2, 1.0 all versions
FortiSwitchManager: 7.2.0 through 7.2.3, 7.0.0 through 7.0.3
Type: 
Remote Code Execution (RCE)
CVE/CVSS: 

CVE-2024-21762 :CVSS 9.6 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-23113 :CVSS 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

UPDATE 2024-02-12: More vulnerable products added by Fortinet since 09/02/2024

Datum: 
12/02/2024

Bronnen

https://www.fortiguard.com/psirt/FG-IR-24-015

https://www.fortiguard.com/psirt/FG-IR-24-029

Risico’s

Fortinet has released security patches to address two critical vulnerabilities that are affecting FortiOS.

The vulnerabilities have a low attack complexity, do not require user interaction and have a HIGH impact on Confidentiality, Integrity and Availability.

Fortinet as well as other sources have confirmed that CVE-2024-21762 is actively being exploited. It is expected that also CVE-2024-23113 will be used to compromise Fortinet products.

Earlier vulnerabilities were used to compromise Fortinet products to deploy malware, in particular CVE-2022-42475 and CVE-2023-27997. Fortinet warned about the active exploitation of these old vulnerabilities in their blog post “The Importance of Patching: An Analysis of the Exploitation of N-Day Vulnerabilities”.

Furthermore, this vulnerability has been observed being exploited in the wild by threat actors.

Beschrijving

CVE-2024-21762: Out-of-bounds write.

An out-of-bounds write vulnerability may allow a remote unauthenticated attacker to gain remote code execution via maliciously crafted HTTP requests.

CVE-2024-23113: Externally-controlled format string.

A use of externally-controlled format string vulnerability in the fgfmd daemon may allow a remote unauthenticated attacker to gain remote code execution via maliciously crafted HTTP requests.

Aanbevolen acties

Patch

The Centre for Cybersecurity Belgium strongly recommends to follow Fortinet’s upgrade path using their dedicated tool at https://docs.fortinet.com/upgrade-tool.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, please report the incident via: https://cert.be/en/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

Referenties

https://www.tenable.com/cve/CVE-2024-21762

https://www.tenable.com/cve/CVE-2024-23113

https://www.bleepingcomputer.com/news/security/new-fortinet-rce-flaw-in-ssl-vpn-likely-exploited-in-attacks/

https://www.bleepingcomputer.com/news/security/chinese-hackers-infect-dutch-military-network-with-malware/

https://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities