Date: 13/2/2024 | Prepared by: Joel D'Souza, Vulnerability Security Analyst
This bulletin aims to address multiple recently disclosed CRITICAL-risk vulnerabilities present in Fortinet FortiOS.
As these vulnerabilities allow potential attackers to perform Remote Code Execution (RCE), the Triskele Labs team advises that all organisations using affected versions of FortiOS should follow the remediation steps outlined in the subsequent sections.
These vulnerabilities are being tracked as CVE-2024-21762 and CVE-2024-23113.
On 7 February 2024, the US Cybersecurity and Infrastructure Security Agency (CISA) indicated that similar vulnerabilities in FortiOS network appliances were used by state-sponsored threat actors Volt Typhoon, to establish initial access to organisation networks.
Additionally, FortiGuard Labs advised that threat actors are potentially exploiting this vulnerability in the wild.
On 9 February 2024, the Australian Cyber Security Centre (ACSC) released a vulnerability disclosure focused on CVE-2024-21762, recommending that all organisations patch the affected devices and disable SSL VPN.
On 8 February 2024, FortiGuard Labs published a vulnerability disclosure (FG-IR-24-015) reserved as CVE-2024-21762, impacting several versions of FortiOS, as listed below.
The identified vulnerability leverages an out-of-bounds write attack vector to initiate unauthenticated Remote Code Execution (RCE) using specially crafted HTTP requests.
Proof-of-Concept has not been publicly released for exploiting this vulnerability.
Simultaneously FortiGuard Labs published another vulnerability disclosure (FG-IR-24-029) reserved as CVE-2024-23113, impacting the following versions of FortiOS.
This vulnerability leverages an externally controlled format string attack vector, which allows an attacker to modify the format string in fgfmd daemon present in certain versions of FortiOS. Using specially crafted requests, an unauthenticated attacker could initiate Remote Code Execution (RCE).
Proof-of-Concept has not been publicly released for exploiting this vulnerability.
The attack paths for each of these vulnerabilities could be used for data exfiltration, data encryption, or network traversal.
Due to the criticality of these vulnerabilities and their potential exploitation, devices using affected versions of FortiOS should be treated as an optimal target for a threat actor and patched as a priority for the business, to prevent exfiltration of data and leakage of Personally Identifiable Information (PII), and other sensitive data.
Triskele Labs recommends upgrading to the latest version of FortiOS immediately to ensure permanent mitigation. The upgrade paths in the table below, provided by FortiGuard Labs, can be used to mitigate this vulnerability using their tool located at
If you are utilising an instance of FortiOS listed as impacted by this vulnerability, Triskele Labs recommends reviewing the firewall logs for unusual activity, in case this vulnerability has already been exploited.
If this is the case, persistence may already be present, which an update will not remediate.
If an immediate update is not an option, a temporary workaround for CVE-2024-21762 can be implemented by completely disabling SSL VPN functionality.
According to the vendor, simply disabling “webmode” is not regarded as a valid workaround for CVE-2024-21762.
A temporary workaround for CVE-2024-23113 is to remove access to FGFM from each interface. An example provided by FortiGuard Labs is listed below:
For each interface entry in the system:
config system interface
edit "portX"
set allowaccess ping https ssh fgfm
next
end
Modify this entry to the following:
config system interface
edit "portX"
set allowaccess ping https ssh
next
end
Please Note: While implementing this workaround will continue to allow connections from the FortiGate device, it will prevent FortiGate discovery from FortiManager. Additionally, the implementation of a local-in policy that only allows FGFM connections from a specific IP address will reduce the attack surface, but the vulnerability could still be exploited from this IP address.
|
Version |
Vulnerability |
Affected Versions |
Solution |
|
FortiOS 6.0 |
CVE-2024-21762 |
6.0 all versions |
Migrate to a fixed release |
|
FortiOS 6.2 |
CVE-2024-21762 |
6.2.0 through 6.2.15 |
Upgrade to 6.2.16 or above |
|
FortiOS 6.4 |
CVE-2024-21762 |
6.4.0 through 6.4.14 |
Upgrade to 6.4.15 or above |
|
FortiOS 7.0 |
CVE-2024-21762 |
7.0.0 through 7.0.13 |
Upgrade to 7.0.14 or above |
|
FortiOS 7.0 |
CVE-2024-23113 |
7.0.0 through 7.0.13 |
Upgrade to 7.0.14 or above |
|
FortiOS 7.2 |
CVE-2024-21762 |
7.2.0 through 7.2.6 |
Upgrade to 7.2.7 or above |
|
FortiOS 7.2 |
CVE-2024-23113 |
7.2.0 through 7.2.6 |
Upgrade to 7.2.7 or above |
|
FortiOS 7.4 |
CVE-2024-21762 |
7.4.0 through 7.4.2 |
Upgrade to 7.4.3 or above |
|
FortiOS 7.4 |
CVE-2024-23113 |
7.4.0 through 7.4.2 |
Upgrade to 7.4.3 or above |
|
FortiOS 7.6 |
CVE-2024-21762 |
Not affected |
Not Applicable |
|
FortiPAM 1.0 |
CVE-2024-23113 |
1.0 all versions |
Migrate to a fixed release |
|
FortiPAM 1.1 |
CVE-2024-23113 |
1.1.0 through 1.1.2 |
Upgrade to 1.1.3 or above |
|
FortiPAM 1.2 |
CVE-2024-23113 |
1.2.0 |
Upgrade to 1.2.1 or above |
|
FortiProxy 1.0 |
CVE-2024-21762 |
1.0 all versions |
Migrate to a fixed release |
|
FortiProxy 1.1 |
CVE-2024-21762 |
1.1 all versions |
Migrate to a fixed release |
|
FortiProxy 1.2 |
CVE-2024-21762 |
1.2 all versions |
Migrate to a fixed release |
|
FortiProxy 2.0 |
CVE-2024-21762 |
2.0.0 through 2.0.13 |
Upgrade to 2.0.14 or above |
|
FortiProxy 7.0 |
CVE-2024-21762 |
7.0.0 through 7.0.14 |
Upgrade to 7.0.15 or above |
|
FortiProxy 7.0 |
CVE-2024-23113 |
7.0.0 through 7.0.14 |
Upgrade to 7.0.15 or above |
|
FortiProxy 7.2 |
CVE-2024-21762 |
7.2.0 through 7.2.8 |
Upgrade to 7.2.9 or above |
|
FortiProxy 7.2 |
CVE-2024-23113 |
7.2.0 through 7.2.8 |
Upgrade to 7.2.9 or above |
|
FortiProxy 7.4 |
CVE-2024-21762 |
7.4.0 through 7.4.2 |
Upgrade to 7.4.3 or above |
|
FortiProxy 7.4 |
CVE-2024-23113 |
7.4.0 through 7.4.2 |
Upgrade to 7.4.3 or above |
|
FortiSwitchManager 7.0 |
CVE-2024-23113 |
7.0.0 through 7.0.3 |
Upgrade to 7.0.4 or above |
|
FortiSwitchManager 7.2 |
CVE-2024-23113 |
7.2.0 through 7.2.3 |
Upgrade to 7.2.4 or above |
Currently detection capabilities are limited to identifying the application’s version number.
As Triskele Labs vendor partners release new detection logic, this bulletin will be updated with additional information.
Triskele Labs DefenceShield customers with our Vulnerability Scanning service are being assessed currently. All customers with our Monitor service (24x7x365 Managed Detection and Response) are - as always - being monitored for IOCs and Lateral Movement.
References used for the generation of this release:
