Fortinet has patched a critical vulnerability that enables unauthenticated remote code execution (RCE), warning in an advisory Thursday that the bug “is potentially being exploited in the wild.”
The FortiOS and FortiProxy vulnerability tracked as CVE-2024-21762 has a CVSS score of 9.6. The bug risks RCE via specially crafted HTTP requests due to an out-of-bounds write flaw in sslvpnd, which handles Secure Sockets Layer Virtual Private Network (SSL VPN) functions in the affected products.
FortiOS is the operating system for Fortinet’s Security Fabric platform, powering many Fortinet products including firewall, VPN and anti-virus solutions. FortiProxy is a secure web gateway (SWG) solution from Fortinet.
The latest Fortinet advisory comes one day after the company disclosed that attackers, likely connected to the China nation-state threat actor Volt Typhoon, were actively exploiting critical Fortinet vulnerabilities CVE-2022-42475 and CVE-2023-27997. Patches for these vulnerabilities have been available since January and June 2023, respectively.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also released a joint advisory with domestic and international partners Wednesday warning that Volt Typhoon was exploiting vulnerabilities in Fortinet, Ivanti, NETGEAR, Citrix and Cisco products to attack and persist on the networks of critical infrastructure targets.
SC Media reached out to Fortinet to ask whether Volt Typhoon was suspected to be exploiting CVE-2024-21762, but did not receive a response.
Which Fortinet product versions need to be patched?
The National Vulnerability Database (NVD) lists the following affected versions of FortiOS and FortiProxy:
- FortiOS 7.4.0 to 7.4.2
- FortiOS 7.2.0 to 7.2.6
- FortiOS 7.0.0 to 7.0.13
- FortiOS 6.4.0 to 6.4.14
- FortiOS 6.2.0 to 6.2.15
- FortiOS 6.0.0 to 6.0.17
- FortiProxy 7.2.0 to 7.4.2
- FortiProxy 7.2.0 to 7.2.8
- FortiProxy 7.0.0 to 7.0.14
- FortiProxy 2.0.0 to 2.0.13
- FortiProxy 1.2.0 to 1.2.13
- FortiProxy 1.1.0 to 1.1.6
- FortiProxy 1.0.0 to 1.0.7
FortiOS version 7.6 is not affected by CVE-2024-21762.
Fortinet said users who cannot immediately patch can disable SSL VPN as a workaround and warned that disabling webmode is not a valid workaround. Users of affected products are advised to follow recommended upgrade paths using Fortinet’s upgrade path tool.
Fortinet discloses 4 critical vulnerabilities in 1 week
Three other critical vulnerabilities, one in FortiOS and two in FortiSIEM, were also patched this week, but not suspected to be under active exploitation.
Fortinet published an advisory on Wednesday for CVE-2024-23113, a CVSS 9.8-scored flaw that could also enable unauthenticated RCE. At attacker could make use of a vulnerable externally controlled format string in the FortiOS fgfmd (FortiGate/FortiManager daemon).
CVE-2024-23113 affects FortiOS versions 7.4.0 to 7.4.2, 7.2.0 to 7.2.6 and 7.0.0 to 7.0.13. FortiOS 6 versions are not affected. Users who cannot patch can remove fgfm access as a workaround.
Additionally, Fortinet updated a previous advisory on Monday to include two new vulnerabilities that circumvent patches for an older vulnerability tracked as CVE-2023-34992. The new CVEs — CVE-2024-23108 and CVE-2024-23109 — share the same description and CVSS score of 9.8 from the NVD but affect more versions than CVE-2023-34992.
The vulnerabilities are OS command injection bugs in FortiSIEM that would allow an unauthorized attacker to perform RCE using crafted API requests. The following versions are affected by CVE-2024-23108 and CVE-2024-23109:
- FortiSIEM 7.1.0 to 7.1.1
- FortiSIEM 7.0.0 to 7.0.2
- FortiSIEM 6.7.0 to 6.7.8
- FortiSIEM 6.6.0 to 6.6.3
- FortiSIEM 6.5.0 to 6.5.2
- FortiSIEM 6.4.0 to 6.4.2
Fortinet originally denied CVE-2024-23108 and CVE-2024-23109 were new vulnerabilities, saying that CVE-2023-34992 was mistakenly duplicated. However, they later confirmed that the two new CVEs are “variants” and patch bypasses of the older bug, according to BleepingComputer.