Two serious FortiOS vulnerabilities were discovered by Fortinet’s FortiGuard on February 8, 2024.
Background:
Unauthenticated threat actors may be able to run arbitrary code or commands due to CVE-2024-23113, a format string vulnerability, and CVE-2024-21762, an out-of-bounds write vulnerability. It has been reported by FortiGuard that they are aware of possible CVE-2024-21762 exploitation.
CVE-2024-21762:
With a CVSS score of 9.6, the vulnerability known as CVE-2024-21762 is caused by incorrect parameter validation in the FortiOS SSL-VPN. By using specifically designed HTTP requests, a remote, unauthenticated attacker can exploit it and cause bytes to be copied over the buffer’s limit. This can lead to memory corruption and process flow redirection, which can make it possible for arbitrary code or commands to be executed.
CVE-2024-23113:
With a CVSS score of 9.8, CVE-2024-23113 is linked to a format string vulnerability in the FortiOS fgfmd daemon. Through the use of specially crafted requests, this vulnerability could allow a remote attacker to execute arbitrary code or commands without the need for authentication.
Public Exploitation:
Fortinet stated that this vulnerability is “potentially being exploited in the wild” in its report dated February 8. It has not disclosed any information regarding exploitation in the wild or about the identity of the person who first reported the bug on February 9.
State-sponsored and other highly motivated threat actors have a history of targeting zero-day vulnerabilities in Fortinet SSL VPNs. Following public publication, adversaries have taken use of further recent Fortinet SSL VPN vulnerabilities (such as CVE-2022-42475, CVE-2022-41328, and CVE-2023-27997) as both zero-day and n-day exploits.
Fortinet revealed yesterday that Volt Typhoon, a state-sponsored threat actor from China, was using FortiOS vulnerabilities to spread custom malware known as COATHANGER.
Recently, it was discovered that this malware, a specially created remote access trojan (RAT) intended to compromise Fortigate network security equipment, was being utilized in attacks on the Dutch Ministry of Defense.
Affected Versions:
| Product | Vulnerability | Affected Version | Fixed Version |
|---|---|---|---|
| FortiOS | CVE-2024-23113, CVE-2024-21762 | 7.4.0 through 7.4.2 | 7.4.3 or above |
| CVE-2024-23113, CVE-2024-21762 | 7.2.0 through 7.2.6 | 7.2.7 or above | |
| CVE-2024-23113, CVE-2024-21762 | 7.0.0 through 7.0.13 | 7.0.14 or above | |
| CVE-2024-21762 | 6.4.0 through 6.4.14 | 6.4.15 or above | |
| CVE-2024-21762 | 6.2.0 through 6.2.15 | 6.2.16 or above | |
| CVE-2024-21762 | 6.0 all versions | Migrate to a fixed release | |
| FortiSIEM | CVE-2024-23108, CVE-2024-23109 | 7.1.0 through 7.1.1 7.0.0 through 7.0.2 6.7.0 through 6.7.8 6.6.0 through 6.6.3 6.5.0 through 6.5.2 6.4.0 through 6.4.2 |
7.1.2 or above 7.0.3 or above 6.7.9 or above 7.2.0 or above 6.6.5 or above 6.5.3 or above 6.4.4 or above |
Recommendations:
We strongly recommend upgrading to the latest patched versions of FortiOS and FortiSIEM to address these vulnerabilities.
FortiGuard has also supplied the following workarounds for users who are presently unable to apply patches:
Remove fgfm Access:
Until the system can be patched, fgfm access on each interface can be removed as a temporary solution for CVE-2024-23113. Consult the FortiGuard advisory for CVE-2024-23113 to learn about the particular modifications.
Turn Off SSL VPN:
Disabling SSL VPN on FortiOS devices can reduce the risk associated with CVE-2024-21762, at least until the device can be updated to a fixed version.
References:
https://www.fortiguard.com/psirt/FG-IR-24-015
https://www.fortiguard.com/psirt/FG-IR-24-029