BlogFebruary Fortinet Advisory: everything you need to know

February Fortinet Advisory: everything you need to know

Fortinet offers guidance to detect and mitigate CVE-2024-21762 and CVE-2024-23113, critical RCE vulnerabilities in FortiOS and FortiProxy, including guidance that organizations should patch urgently.

2 aANyg+

CVE-2024-21762 and CVE-2024-23113 are critical vulnerabilities in Fortinet's FortiOS and FortiProxy; they received a CVSS score of 9.6 and 9.8, respectively. Both vulnerabilities could allow a remote unauthenticated attacker to execute arbitrary code or commands, and CVE-2024-21762 is reportedly being exploited in the wild. Fortinet guidance recommends to upgrade FortiOS instances to patched versions as soon as possible. Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment. 

What are CVE-2024-21762 and CVE-2024-23113? 

The vulnerability identified as CVE-2024-21762, rated with a CVSS score of 9.6, stems from improper parameter validation within FortiOS SSL-VPN. It can be exploited by a remote, unauthenticated attacker through specially crafted HTTP requests, leading to a scenario where bytes are copied beyond the buffer's limits. This results in memory corruption and the redirection of process flow, potentially allowing the execution of arbitrary code or commands. 

Similarly, CVE-2024-23113, carrying a CVSS score of 9.8, is attributed to a format string vulnerability found in the FortiOS fgfmd daemon. This flaw could enable a remote attacker, without any authentication, to execute arbitrary code or commands by sending specifically tailored requests. Note that this vulnerability only affects more recent product versions (dating back to March 2022). 

Exploitation in the wild 

Fortinet’s advisory states that CVE-2024-21762 is “potentially being exploited in the wild,” and that statement was followed by CISA adding CVE-2024-21762 to its Known Exploited Vulnerabilities catalog (KEV) and wrote “These types of vulnerabilities are frequent attack vectors for malicious cyber actors. 

Wiz Research data: what’s the risk to cloud environments?       

Based on Wiz data, 8% of cloud environments have resources vulnerable to CVE-2024-21762 or CVE-2024-23113, while 5% have publicly exposed instances. 

Which products are affected? 

CVE-2024-23113

ProductAffected versionRemediation
FortiOS 7.47.4.0 through 7.4.2Upgrade to 7.4.3 or above
FortiOS 7.27.2.0 through 7.2.6Upgrade to 7.2.7 or above
FortiOS 7.07.0.0 through 7.0.13Upgrade to 7.0.14 or above
FortiPAM 1.21.2.0Upgrade to 1.2.1 or above
FortiPAM 1.11.1.0 through 1.1.2Upgrade to 1.1.3 or above
FortiPAM 1.01.0 all versionsMigrate to a fixed release
FortiProxy 7.47.4.0 through 7.4.2Upgrade to 7.4.3 or above
FortiProxy 7.27.2.0 through 7.2.8Upgrade to 7.2.9 or above
FortiProxy 7.07.0.0 through 7.0.14Upgrade to 7.0.16 or above

CVE-2024-21762

ProductAffected versionRemediation
FortiOS 7.47.4.0 through 7.4.2Upgrade to 7.4.3 or above
FortiOS 7.27.2.0 through 7.2.6Upgrade to 7.2.7 or above
FortiOS 7.07.0.0 through 7.0.13Upgrade to 7.0.14 or above
FortiOS 6.46.4.0 through 6.4.14Upgrade to 6.4.15 or above
FortiOS 6.26.2.0 through 6.2.15Upgrade to 6.2.16 or above
FortiOS 6.06.0 all versionsMigrate to a fixed release
FortiProxy 7.47.4.0 through 7.4.2Upgrade to 7.4.3 or above
FortiProxy 7.27.2.0 through 7.2.8Upgrade to 7.2.9 or above
FortiProxy 7.07.0.0 through 7.0.14Upgrade to 7.0.15 or above
FortiProxy 2.02.0.0 through 2.0.13Upgrade to 2.0.14 or above
FortiProxy 1.21.2 all versionsMigrate to a fixed release
FortiProxy 1.11.1 all versionsMigrate to a fixed release
FortiProxy 1.01.0 all versionsMigrate to a fixed release

Workarounds and mitigations 

CVE-2024-21762

If you are unable to patch affected instances, it is possible to mitigate CVE-2024-21762 by disabling SSL VPN as a workaround. 

CVE-2024-23113

If you are unable to patch affected instances, it is possible to mitigate CVE-2024-23113 by removing FGFM access for each interface, as described in Fortinet's advisory (this will prevent FortiGate discovery from FortiManager, but connections from the FortiGate will still work). 

Query available in the Wiz Threat Center

Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment. 

References 

Continue reading

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management