Vulnerabilities impacting Fortinet FortiOS – Update 1

Number: AL24-003
Date: October 11, 2024

Audience

This Alert is intended for IT professionals and managers.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security (“Cyber Centre”) is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Details

On February 8, 2024, the Cyber Centre became aware of vulnerabilities impacting multiple versions of Fortinet FortiOS. In response to this advisory the Cyber Centre released advisory AV24-074 on February 9, 2024Footnote 1.

Fortinet reports that CVE-2024-21762 is an out-of-bounds write vulnerability in SSL VPN that may allow a remote unauthenticated threat actor to execute arbitrary code and commands via specially crafted HTTP requestFootnote 2. Fortinet has indicated that CVE-2024-21762 may have been exploited in the wild. 

A second significant vulnerability (CVE-2024-23113) was reported which is a format string bug within the FortiOS FortiGate to FortiManager (fgfmd) protocol.  The vulnerability may allow a remote, unauthenticated threat actor to execute arbitrary code or commands via specially crafted requestsFootnote 3. Fortinet has not indicated that this vulnerability has been exploited.

On February 9, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) updated their Known Exploited Vulnerabilities (KEV) Catalog in response to the Fortinet FortiOS out-of-bound write vulnerability CVE-2024-21762Footnote 4.

Update 1

Fortinet updated their advisoriesFootnote 2Footnote 3 to include additional affected products and to advise that both vulnerabilities have been exploited. The Cyber Centre has noted the additional affected products under Suggested Actions below.

On October 9, 2024, CISA released a statementFootnote 6 indicating that CVE-2024-23113 is being actively exploited in the wild and added it to their Known Exploited Vulnerabilities (KEV) CatalogFootnote 4.

Suggested actions

Fortinet recommends as a temporary workaround, to disable the SSL-VPN service until patching can be completed for CVE-2024-21762Footnote 2.

In regard to CVE-2024-23113, Fortinet also recommends that organizations consider whether there is a need to expose the fgfm daemon (port 541) to the internet for inbound connections, until patching can be completedFootnote 3.

The Cyber Centre strongly recommends that organizations determine if any Fortinet devices need to be patched to remediate these vulnerabilities.

Version:

  • FortiOS 7.6 – Affected: Not affected – Solution: Not Applicable
  • FortiOS 7.4 – Affected: 7.4.0 to 7.4.2 – Solution: Upgrade to 7.4.3 or above
  • FortiOS 7.2 – Affected: 7.2.0 to 7.2.6 – Solution: Upgrade to 7.2.7 or above
  • FortiOS 7.0 – Affected: 7.0.0 to 7.0.13 – Solution: Upgrade to 7.0.14 or above
  • FortiOS 6.4 – Affected: 6.4.0 to 6.4.14 – Solution: Upgrade to 6.4.15 or above
  • FortiOS 6.2 – Affected: 6.2.0 to 6.2.15 – Solution: Upgrade to 6.2.16 or above
  • FortiOS 6.0 – Affected: 6.0 all versions – Solution: Migrate to a fixed release
  • FortiPAM 1.3 – Affected: Not affected – Solution: Not Applicable
  • FortiPAM 1.2 – Affected: 1.2 all versions – Solution: Migrate to a fixed release
  • FortiPAM 1.1 – Affected: 1.1 all versions – Solution: Migrate to a fixed release
  • FortiPAM 1.0 – Affected: 1.0 all versions – Solution: Migrate to a fixed release
  • FortiProxy 7.4 – Affected: 7.4.0 through 7.4.2 – Solution: Upgrade to 7.4.3 or above
  • FortiProxy 7.2 – Affected: 7.2.0 through 7.2.8 – Solution: Upgrade to 7.2.9 or above
  • FortiProxy 7.0 – Affected: 7.0.0 through 7.0.15 – Solution: Upgrade to 7.0.16 or above
  • FortiProxy 2.0 – Affected: 2.0.0 through 2.0.13 – Solution: Upgrade to 2.0.14 or above
  • FortiProxy 1.2 – Affected: 1.2 all versions – Solution: Migrate to a fixed release
  • FortiProxy 1.1 – Affected: 1.1 all versions – Solution: Migrate to a fixed release
  • FortiProxy 1.0 – Affected: 1.0 all versions – Solution: Migrate to a fixed release
  • FortiWeb 7.4 – Affected: 7.4.0 through 7.4.2 – Solution: Upgrade to 7.4.3 or above

Organizations should also review and implement the Cyber Centre’s Top 10 IT Security Actions Footnote 5 with an emphasis on the following topics:

  • consolidating, monitoring, and defending Internet gateways
  • patching operating systems and applications
  • isolate web-facing applications

Should activity matching the content of this alert be discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.

Partner Reporting

ACSC – Critical Vulnerability in FortiOS 

NCSC-NZ – Cyber Security Alert: CVEs affecting FortiOS SSL VPN

This alert was originated From: Canadian Centre for Cyber Security

https://cyber.gc.ca/en/alerts-advisories/vulnerabilities-impacting-fortinet-fortios

Leave a Reply

Your email address will not be published. Required fields are marked *