CVE-2024-21762: Critical Fortinet FortiOS Vulnerability

February 20, 2024
CVE, Cybersecurity, Vulnerability Assessment
Managed Security Services

Background

Two serious FortiOS vulnerabilities were discovered by Fortinet’s FortiGuard on February 8, 2024. Unauthenticated threat actors may be able to run arbitrary code or commands due to CVE-2024-23113, a format string vulnerability, and CVE-2024-21762, an out-of-bounds write vulnerability. It has been reported by FortiGuard that they are aware of possible CVE-2024-21762 exploitation.

CVE-2024-21762

With a CVSS score of 9.6, the vulnerability known as CVE-2024-21762 is caused by incorrect parameter validation in the FortiOS SSL-VPN. By using specifically designed HTTP requests, a remote, unauthenticated attacker can exploit it and cause bytes to be copied over the buffer’s limit. This can lead to memory corruption and process flow redirection, which can make it possible for arbitrary code or commands to be executed.

CVE-2024-23113

With a CVSS score of 9.8, CVE-2024-23113 is linked to a format string vulnerability in the FortiOS fgfmd daemon. Through the use of specially crafted requests, this vulnerability could allow a remote attacker to execute arbitrary code or commands without the need for authentication.

Public Exploitation

Fortinet stated that this vulnerability is “potentially being exploited in the wild” in its report dated February 8. It has not disclosed any information regarding exploitation in the wild or about the identity of the person who first reported the bug on February 9.

State-sponsored and other highly motivated threat actors have a history of targeting zero-day vulnerabilities in Fortinet SSL VPNs. Following public publication, adversaries have taken use of further recent Fortinet SSL VPN vulnerabilities (such as CVE-2022-42475, CVE-2022-41328, and CVE-2023-27997) as both zero-day and n-day exploits.

Fortinet revealed yesterday that Volt Typhoon, a state-sponsored threat actor from China, was using FortiOS vulnerabilities to spread custom malware known as COATHANGER.

Recently, it was discovered that this malware, a specially created remote access trojan (RAT) intended to compromise Fortigate network security equipment, was being utilized in attacks on the Dutch Ministry of Defense.

Affected Versions

ProductVulnerabilityAffected VersionFixed Version
FortiOSCVE-2024-23113, CVE-2024-217627.4.0 through 7.4.27.4.3 or above
CVE-2024-23113, CVE-2024-217627.2.0 through 7.2.67.2.7 or above
CVE-2024-23113, CVE-2024-217627.0.0 through 7.0.137.0.14 or above
CVE-2024-217626.4.0 through 6.4.146.4.15 or above
CVE-2024-217626.2.0 through 6.2.156.2.16 or above
CVE-2024-217626.0 all versionsMigrate to a fixed release
FortiSIEMCVE-2024-23108, CVE-2024-231097.1.0 through 7.1.1
7.0.0 through 7.0.2
6.7.0 through 6.7.8
6.6.0 through 6.6.3
6.5.0 through 6.5.2
6.4.0 through 6.4.2		7.1.2 or above
7.0.3 or above
6.7.9 or above
7.2.0 or above
6.6.5 or above
6.5.3 or above
6.4.4 or above

Recommendations

We strongly recommend upgrading to the latest patched versions of FortiOS and FortiSIEM to address these vulnerabilities.

FortiGuard has also supplied the following workarounds for users who are presently unable to apply patches:

Remove fgfm Access:

Until the system can be patched, fgfm access on each interface can be removed as a temporary solution for CVE-2024-23113. Consult the FortiGuard advisory for CVE-2024-23113 to learn about the particular modifications.

Turn Off SSL VPN:

Disabling SSL VPN on FortiOS devices can reduce the risk associated with CVE-2024-21762, at least until the device can be updated to a fixed version.

References

https://www.fortiguard.com/psirt/FG-IR-24-015
https://www.fortiguard.com/psirt/FG-IR-24-029

You may also like

Ready to get started?

Contact us to arrange a half day Managed SOC and XDR workshop in Dubai

Contact Us
HawkEye
Linkedin Twitter Facebook Instagram Youtube

HawkEye

Packages

CSOC

Explore

© 2024 HawkEye – Managed CSOC and XDR powered by DTS Solution. All Rights Reserved.
Contact