Fortinet has classified both security vulnerabilities as critical. Additionally, CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog with pertinent details regarding the issue.
Network security vendor Fortinet has released security updates to address remote code execution vulnerabilities (CVE-2024-21762, CVE-2024-23313) in FortiOS. The vulnerabilities could be exploited by cyber threat actors to control affected systems. Fortinet noted that CVE-2024-21762 is potentially being exploited in the wild.
Following the advisory from Fortinet, the US Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities (KEV) Catalog on February 9, 2024, to add CVE-2024-21762. CISA confirmed that this vulnerability, affecting multiple versions, is being actively exploited in attacks,
As per Fortinet, CVE-2024-21762 (CVSS 9.6/10.0, rated Critical) is an out-of-bounds write vulnerability detected in SSL VPN. It allows remote unauthenticated actors to execute arbitrary code/commands through specially designed HTTP requests.
On the other hand, CVE-2024-23113 (CVSS 9.8/10.0, rated Critical) is a format string bug found in the FortiOS Forti/gate to FortiManager protocol and allows remote, unauthenticated actors to execute arbitrary code and commands. However, there is no evidence this vulnerability is being exploited in the wild.
The vulnerabilities affect versions 6.0, 6.2, 6.4, 7.0, 7.2, and 7.4. Fortinet has released patches for each affected version except for 6.0 for which users are advised to migrate to a newer version. It is worth noting that FortiOS 7.6 is not impacted.
The vendor stated that it balances customer security with a “culture of researcher collaboration and transparency” and regularly communicates with customers on security measures through their PSIRT Advisory process.
Still, the detection of ‘critical’ vulnerabilities in Fortinet OS has raised concerns among the cybersecurity community. CISA had earlier disclosed that a China-linked threat group Volt Typhoon has been exploiting vulnerabilities in network appliances from various vendors, including Fortinet, Citrix, Cisco, Ivanti, and NetGear.
“In fact, the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years,” the advisory read.
In one of the instances discovered by the Dutch agencies, the group likely obtained initial access by exploiting CVE-2022-42475 in an unpatched network perimeter FortiGate 300D firewall.
For insights into the latest Fortinet flaws and the rising concerns about vulnerabilities in network appliances, we reached out to Mayuresh Dani, Manager, Security Research, at Qualys Threat Research Unit who emphasised that Fortinet alerted its partners about the vulnerability before the public advisory. Considering this, the vulnerability might be easy to exploit, and a Proof of Concept (PoC) disclosure could happen soon.
“Fortinet sent out advanced notifications to its partners about this vulnerability before the advisory was made public. CVE-2024-21762 is already included in the CISA KEV list. The exploit code maturity is also ranked as HIGH in the vendor-supplied CVSS scoring,” noted Mayuresh.
“Given all these facts and the way Fortinet itself has characterized the vulnerability, it may be trivial to exploit this vulnerability and that a PoC disclosure is imminent,” Mayuresh warned. “Furthermore, no user interaction is required for exploitation and there is no mention of how this vulnerability was discovered – internally or via external reports.”
RELATED TOPCIS
- Critical RCE Vulnerability Puts 330,000 Fortinet Firewalls at Risk
- Hackers dump login credentials of Fortinet VPN users in plain-text
- Chinese Hackers Exploiting 0-day Vulnerability in Fortinet Products
- Hackers Exploiting Critical Vulnerabilities in Fortinet VPN – FBI-CISA
- Critical Flaw Exploited to Bypass Fortinet Products, Compromise Firms