New critical FortiOS SSL-VPN disclosed – potentially being exploited in attacks
Fortinet has advised that a newly disclosed critical remote code execution flaw in their FortiOS SSL-VPN service is being potentially exploited in attacks.
The potentially exploited vulnerability is currently being tracked as CVE-2024-21762, and has a CVSS severity rating of 9.6. According to Fortinet, the flaw in FortiOS is an out of bounds write vulnerability, which “may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests.”
The exploit was disclosed alongside three other vulnerabilities, however, these have not been marked as being exploited in the wild.
CVE-2024-23113 (CVSS 9.8) – A format string vulnerability affecting the fgfmd daemon, successful exploitation may allow a remote actor to execute arbitrary code via specially crafted requests.
CVE-2023-44487 (CVSS 7.5) – “The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly.”
CVE-2023-47537 (CVSS 7.8) – “An improper certificate validation vulnerability [CWE-295] in FortiOS may allow an unauthenticated attacker in a Man-in-the-Middle position to decipher and alter the FortiLink communication channel between the FortiOS device and a FortiSwitch instance.”
The following versions of FortiOS are vulnerable to exploitation:
- FortiOS 7.4.0 through 7.4.2
- FortiOS 7.2.0 through 7.2.6
- FortiOS 7.0.0 through 7.0.13
- FortiOS 6.4.0 through 6.4.14
- FortiOS 6.2.0 through 6.2.15
- and all versions of FortiOS 6.0.
CTRL strongly recommend patching FortiOS devices to versions 7.4.3 or later as soon as possible. For those unable to deploy patches, disabling SSL-VPN will prevent exploitation of CVE-2024-21762, however, there is no workaround for the other three flaws.