Triskele Labs Blog

CVE-2024-21762, CVE-2024-23113: Multiple FortiOS Vulnerabilities

Written by Joel D'Souza | Feb 13, 2024 3:33:46 AM

Date: 13/2/2024 | Prepared by: Joel D'Souza, Vulnerability Security Analyst

Purpose

This bulletin aims to address multiple recently disclosed CRITICAL-risk vulnerabilities present in Fortinet FortiOS.

As these vulnerabilities allow potential attackers to perform Remote Code Execution (RCE), the Triskele Labs team advises that all organisations using affected versions of FortiOS should follow the remediation steps outlined in the subsequent sections.

These vulnerabilities are being tracked as CVE-2024-21762 and CVE-2024-23113.

On 7 February 2024, the US Cybersecurity and Infrastructure Security Agency (CISA) indicated that similar vulnerabilities in FortiOS network appliances were used by state-sponsored threat actors Volt Typhoon, to establish initial access to organisation networks.

Additionally, FortiGuard Labs advised that threat actors are potentially exploiting this vulnerability in the wild.

On 9 February 2024, the Australian Cyber Security Centre (ACSC) released a vulnerability disclosure focused on CVE-2024-21762, recommending that all organisations patch the affected devices and disable SSL VPN.

 

CVE-2024-21762 Details

On 8 February 2024, FortiGuard Labs published a vulnerability disclosure (FG-IR-24-015) reserved as CVE-2024-21762, impacting several versions of FortiOS, as listed below.

  • FortiOS 6.0 all versions
  • FortiOS 6.2 2.0 through 6.2.15
  • FortiOS 6.4 4.0 through 6.4.14
  • FortiOS 7.0 0.0 through 7.0.13
  • FortiOS 7.2 2.0 through 7.2.6
  • FortiOS 7.4 4.0 through 7.4.2
  • FortiProxy 1.0 0 all versions
  • FortiProxy 1.1 1 all versions
  • FortiProxy 1.2 2 all versions
  • FortiProxy 2.0 0.0 through 2.0.13
  • FortiProxy 7.0 0.0 through 7.0.14
  • FortiProxy 7.2 2.0 through 7.2.8
  • FortiProxy 7.4 4.0 through 7.4.2

The identified vulnerability leverages an out-of-bounds write attack vector to initiate unauthenticated Remote Code Execution (RCE) using specially crafted HTTP requests.

Proof-of-Concept has not been publicly released for exploiting this vulnerability.

 

 

CVE-2024-23113 Details

Simultaneously FortiGuard Labs published another vulnerability disclosure (FG-IR-24-029) reserved as CVE-2024-23113, impacting the following versions of FortiOS.

  • FortiOS 7.0 0.0 through 7.0.13
  • FortiOS 7.2 2.0 through 7.2.6
  • FortiOS 7.4 4.0 through 7.4.2
  • FortiPAM 1.0 0 all versions
  • FortiPAM 1.1 1.0 through 1.1.2
  • FortiPAM 1.2 2.0
  • FortiProxy 7.0 0.0 through 7.0.14
  • FortiProxy 7.2 2.0 through 7.2.8
  • FortiProxy 7.4 4.0 through 7.4.2
  • FortiSwitchManager 7.0 0.0 through 7.0.3
  • FortiSwitchManager 7.2 2.0 through 7.2.3

This vulnerability leverages an externally controlled format string attack vector, which allows an attacker to modify the format string in fgfmd daemon present in certain versions of FortiOS. Using specially crafted requests, an unauthenticated attacker could initiate Remote Code Execution (RCE).

Proof-of-Concept has not been publicly released for exploiting this vulnerability.

 

Impact

The attack paths for each of these vulnerabilities could be used for data exfiltration, data encryption, or network traversal.

Due to the criticality of these vulnerabilities and their potential exploitation, devices using affected versions of FortiOS should be treated as an optimal target for a threat actor and patched as a priority for the business, to prevent exfiltration of data and leakage of Personally Identifiable Information (PII), and other sensitive data.

 

Mitigation Actions

Triskele Labs recommends upgrading to the latest version of FortiOS immediately to ensure permanent mitigation. The upgrade paths in the table below, provided by FortiGuard Labs, can be used to mitigate this vulnerability using their tool located at

If you are utilising an instance of FortiOS listed as impacted by this vulnerability, Triskele Labs recommends reviewing the firewall logs for unusual activity, in case this vulnerability has already been exploited.

If this is the case, persistence may already be present, which an update will not remediate.

If an immediate update is not an option, a temporary workaround for CVE-2024-21762 can be implemented by completely disabling SSL VPN functionality.

According to the vendor, simply disabling “webmode” is not regarded as a valid workaround for CVE-2024-21762.

A temporary workaround for CVE-2024-23113 is to remove access to FGFM from each interface. An example provided by FortiGuard Labs is listed below:

For each interface entry in the system:

config system interface

    edit "portX"

         set allowaccess ping https ssh fgfm

    next

end

 

Modify this entry to the following:

config system interface

    edit "portX"

         set allowaccess ping https ssh

    next

end

Please Note: While implementing this workaround will continue to allow connections from the FortiGate device, it will prevent FortiGate discovery from FortiManager. Additionally, the implementation of a local-in policy that only allows FGFM connections from a specific IP address will reduce the attack surface, but the vulnerability could still be exploited from this IP address.

Version

Vulnerability

Affected Versions

Solution

FortiOS 6.0

CVE-2024-21762

6.0 all versions

Migrate to a fixed release

FortiOS 6.2

CVE-2024-21762

6.2.0 through 6.2.15

Upgrade to 6.2.16 or above

FortiOS 6.4

CVE-2024-21762

6.4.0 through 6.4.14

Upgrade to 6.4.15 or above

FortiOS 7.0

CVE-2024-21762

7.0.0 through 7.0.13

Upgrade to 7.0.14 or above

FortiOS 7.0

CVE-2024-23113

7.0.0 through 7.0.13

Upgrade to 7.0.14 or above

FortiOS 7.2

CVE-2024-21762

7.2.0 through 7.2.6

Upgrade to 7.2.7 or above

FortiOS 7.2

CVE-2024-23113

7.2.0 through 7.2.6

Upgrade to 7.2.7 or above

FortiOS 7.4

CVE-2024-21762

7.4.0 through 7.4.2

Upgrade to 7.4.3 or above

FortiOS 7.4

CVE-2024-23113

7.4.0 through 7.4.2

Upgrade to 7.4.3 or above

FortiOS 7.6

CVE-2024-21762

Not affected

Not Applicable

FortiPAM 1.0

CVE-2024-23113

1.0 all versions

Migrate to a fixed release

FortiPAM 1.1

CVE-2024-23113

1.1.0 through 1.1.2

Upgrade to 1.1.3 or above

FortiPAM 1.2

CVE-2024-23113

1.2.0

Upgrade to 1.2.1 or above

FortiProxy 1.0

CVE-2024-21762

1.0 all versions

Migrate to a fixed release

FortiProxy 1.1

CVE-2024-21762

1.1 all versions

Migrate to a fixed release

FortiProxy 1.2

CVE-2024-21762

1.2 all versions

Migrate to a fixed release

FortiProxy 2.0

CVE-2024-21762

2.0.0 through 2.0.13

Upgrade to 2.0.14 or above

FortiProxy 7.0

CVE-2024-21762

7.0.0 through 7.0.14

Upgrade to 7.0.15 or above

FortiProxy 7.0

CVE-2024-23113

7.0.0 through 7.0.14

Upgrade to 7.0.15 or above

FortiProxy 7.2

CVE-2024-21762

7.2.0 through 7.2.8

Upgrade to 7.2.9 or above

FortiProxy 7.2

CVE-2024-23113

7.2.0 through 7.2.8

Upgrade to 7.2.9 or above

FortiProxy 7.4

CVE-2024-21762

7.4.0 through 7.4.2

Upgrade to 7.4.3 or above

FortiProxy 7.4

CVE-2024-23113

7.4.0 through 7.4.2

Upgrade to 7.4.3 or above

FortiSwitchManager 7.0

CVE-2024-23113

7.0.0 through 7.0.3

Upgrade to 7.0.4 or above

FortiSwitchManager 7.2

CVE-2024-23113

7.2.0 through 7.2.3

Upgrade to 7.2.4 or above

 

 

Detection Capabilities

Currently detection capabilities are limited to identifying the application’s version number.

As Triskele Labs vendor partners release new detection logic, this bulletin will be updated with additional information.

Triskele Labs DefenceShield customers with our Vulnerability Scanning service are being assessed currently. All customers with our Monitor service (24x7x365 Managed Detection and Response) are - as always - being monitored for IOCs and Lateral Movement.

 

References

References used for the generation of this release: