Initial alert on : 2024-02-09 09:15:09
On February 7, 2024, selected Fortinet partners such as Orange Cyberdefense received an advanced warning about 2 new critical vulnerabilities impacting FortiOS and in particular SSL-VPN. The first one, CVE-2024-21762 (link for our clients), is scored at CVSS of 9.6 out of 10 and allows an unauthenticated remote attacker to execute commands using specially crafted requests. Unfortunately, the vendor believes this flaw has been exploited in the wild, with no external vulnerability researcher being thanked for finding and reporting it. Most versions are affected, and no workaround exists as of now.
Fortinet also patched another critical vulnerability numbered CVE-2024-23113 (link for our clients), scored at 9.8. This format-string issue in the FGFM daemon was found internally by the vendor. A more limited number of versions (only branches 7.0, 7.2 and 7.4) are impacted.
As a reminder, FortiOS SSL-VPN is a VPN solution widely used across various industries and organizations globally. Over the last months, previous critical vulnerabilities affecting this same product have been exploited by Chinese state-sponsored threat actors, such as CVE-2022-42475, notably used in the recent cyberespionage attack against the Dutch Defense Ministry.
1.2 What you will hear
FortiOS SSL-VPN’s critical Out-of-bounds Write vulnerability exploited in the wild.
1.3 What it means
Fortinet just shared a private advanced warning to some of its customers including Orange Cyberdefense, warning them of a new Out-of-bounds Write vulnerability in its FortiOS SSL-VPN. This flaw is more specifically located in the sslvpnd component, ie. SSL VPN Daemon, which is responsible for managing the SSL VPN connections.
According to researchers, the flaw exists due to incorrect parameter checks, which results in a reduced amount of bytes that can be copied outside buffer bounds, leading to memory corruption and flow redirection. Using this vulnerability, a remote, unauthenticated attacker can try to execute unauthorized code or commands, and to take control of the machine with the help of a specially forged requests against a FortiOS SSL-VPN server.
To patch this bug, you need to upgrade to one of the following versions:
FortiOS version 7.6.0 or above
FortiOS version 7.4.3 or above
FortiOS version 7.2.7 or above
FortiOS version 7.0.14 or above
FortiOS version 6.4.15 or above
FortiOS version 6.2.16 or above
Given the severity of this flaw, it was given a CVSS score of 9.6 out of 10. There is no indication that a PoC is available yet, but we assess this will likely be the case in the upcoming days or weeks. Moreover, Fortinet suggests in its advanced warning the vulnerability could already be exploited in the wild (exploit code maturity ranked as high in the CVSS scoring).
Another critical flaw (a format-string bug identified as CVE-2024-23113) was found by Fortinet in the FortiGate to FortiManager daemon. It has not been confirmed as exploited in the wild yet (even if its exploit code maturity is also ranked high in its 9.8 CVSS score).
Unfortunately, no information regarding these exploitation cases is available. Given that exploitation of FortiOS SSL-VPN tend to be favored by threat actors (especially Chinese APTs), we classify this advisory’s threat level as 4 out of 5.
1.4 What you should do
We advise you to apply the security patches released by Fortinet to fix these vulnerabilities.
It should also be noted that disabling SSL VPN (disable webmode) is not a valid workaround for CVE-2024-21762.
2. Appendices :
Initial alert on : 2024-02-09 09:15:09
Fortinet:
https://www.fortiguard.com/psirt/FG-IR-24-015
https://www.fortiguard.com/psirt/FG-IR-24-029
2.2 OCD links
Our Managed Vulnerability Intelligence [watch] clients can directly consult the advisory including all the details related to this vulnerability from the below links on our Threat Defense Center portal:
If you’re interested to know more about this OCD managed service, please reach us at team[AT]cert.orangecyberdefense.com, indicating you’re a World Watch beneficiary.
n/a
List of Affected Products by CVE-2024-21762:
FortiOS version 7.4.0 through 7.4.2
FortiOS version 7.2.0 through 7.2.6
FortiOS version 7.0.0 through 7.0.13
FortiOS version 6.4.0 through 6.4.14
FortiOS version 6.2.0 through 6.2.15
FortiOS 6.0 all versions
List of Affected Products by CVE-2024-23113:
FortiOS version 7.4.0 through 7.4.2
FortiOS version 7.2.0 through 7.2.6
FortiOS version 7.0.0 through 7.0.13
mainCategory=Vulnerability
Read more about World Watch.