Critical Fortinet FortiOS flaw exploited in the wild (CVE-2024-21762)
Fortinet has patched critical remote code execution vulnerabilities in FortiOS (CVE-2024-21762, CVE-2024-23313), one of which is “potentially” being exploited in the wild.
The exploitation-in-the-wild has been confirmed by CISA, by adding it to its Known Exploited Vulnerabilities (KEV) catalog, though details about the attacks are still undisclosed.
About the vulnerabilities (CVE-2024-21762, CVE-2024-23313)
CVE-2024-21762 is an out-of-bounds write vulnerability in FortiOS, which may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests.
CVE-2024-23313 is a use of externally-controlled format string vulnerability in FortiOS fgfmd daemon, which may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.
Various versions of FortiOS, FortiProxy, FortiPAM and FortiSwitchManager are affected by one or both of them, and fixed versions have been provided – though some older versions won’t receive a fix and users are advised to migrate to a fixed release.
It often takes several days for Fortinet security updates to appear when checking for updates through the software. Admins looking to patch quickly should download the updates from Fortinet’s site and implement them manually.
There is also a workaround for both flaws: disable SSL VPN (CVE-2024-21762) or remove the fgfm access for each interface (CVE-2024-23313).
Fortinet products under attack
“Zero-day vulnerabilities in Fortinet SSL VPNs have a history of being targeted by state-sponsored and other highly motivated threat actors. Other recent Fortinet SSL VPN vulnerabilities (e.g., CVE-2022-42475, CVE-2022-41328, and CVE-2023-27997) have been exploited by adversaries as both zero-day and as n-day following public disclosure,” Rapid7 researchers noted.
It was recently revealed that Chinese hackers breached the Dutch Ministry of Defense by exploiting CVE-2022-42475, and Fortinet researchers have shared details of exploitation of various resolved n-day vulnerabilities in its products.