CVE-2024-21762 and CVE-2024-23113 - Fortinet FortiOS Vulnerabilities Under Active Exploit

Altitude Security

Table of Contents

Fortinet has been busy patching several critical vulnerabilities in their popular FortiOS firewall platform. According to advisories and reports from Fortinet's PSIRT team as well as third-party researchers, a number of these flaws have already been exploited actively in targeted attacks.

CVE-2024-21762 - Out-of-Bounds Write RCE

The Fortinet PSIRT published advisory FG-IR-24-015 detailing an out-of-bounds write vulnerability (CVE-2024-21762) affecting FortiOS SSL VPN. This critical RCE flaw impacts FortiOS versions 7.2.0 through 7.2.6 and 7.0.0 through 7.0.13. Fortinet recommends upgrading to patched versions or the other workaround is disabling SSL VPN (disable webmode is NOT a valid workaround). According to the advisory, this vulnerability is currently being exploited in the wild.

Version Affected Solution
FortiOS 7.6 Not affected Not Applicable
FortiOS 7.4 7.4.0 through 7.4.2 Upgrade to 7.4.3 or above
FortiOS 7.2 7.2.0 through 7.2.6 Upgrade to 7.2.7 or above
FortiOS 7.0 7.0.0 through 7.0.13 Upgrade to 7.0.14 or above
FortiOS 6.4 6.4.0 through 6.4.14 Upgrade to 6.4.15 or above
FortiOS 6.2 6.2.0 through 6.2.15 Upgrade to 6.2.16 or above
FortiOS 6.0 6.0 all versions Migrate to a fixed release
FortiProxy 7.4 7.4.0 through 7.4.2 Upgrade to 7.4.3 or above
FortiProxy 7.2 7.2.0 through 7.2.8 Upgrade to 7.2.9 or above
FortiProxy 7.0 7.0.0 through 7.0.14 Upgrade to 7.0.15 or above
FortiProxy 2.0 2.0.0 through 2.0.13 Upgrade to 2.0.14 or above
FortiProxy 1.2 1.2 all versions Migrate to a fixed release
FortiProxy 1.1 1.1 all versions Migrate to a fixed release
FortiProxy 1.0 1.0 all versions Migrate to a fixed release

CVE-2024-23113 Format String RCE

Another advisory, FG-IR-24-029, covers a format string vulnerability (CVE-2024-23113) affecting the FortiOS fgfmd daemon. Impacted versions include 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, and 7.0.0 through 7.0.13. As with the previous flaw, Fortinet recommends upgrading to a patched release.

Version Affected Solution
FortiOS 7.4 7.4.0 through 7.4.2 Upgrade to 7.4.3 or above
FortiOS 7.2 7.2.0 through 7.2.6 Upgrade to 7.2.7 or above
FortiOS 7.0 7.0.0 through 7.0.13 Upgrade to 7.0.14 or above
FortiPAM 1.2 1.2.0 Upgrade to 1.2.1 or above
FortiPAM 1.1 1.1.0 through 1.1.2 Upgrade to 1.1.3 or above
FortiPAM 1.0 1.0 all versions Migrate to a fixed release
FortiProxy 7.4 7.4.0 through 7.4.2 Upgrade to 7.4.3 or above
FortiProxy 7.2 7.2.0 through 7.2.8 Upgrade to 7.2.9 or above
FortiProxy 7.0 7.0.0 through 7.0.14 Upgrade to 7.0.15 or above
FortiSwitchManager 7.2 7.2.0 through 7.2.3 Upgrade to 7.2.4 or above
FortiSwitchManager 7.0 7.0.0 through 7.0.3 Upgrade to 7.0.4 or above

Potential Exploits by APT Groups

Research from BleepingComputer and SecurityWeek suggests that Chinese APT groups including Volt Typhoon, APT15, and APT31 have been actively taking advantage of these vulnerabilities in targeted attacks.

Nessus Plugin for Detection and Patching

Tenable has released Nessus plugin 190239 to help organizations detect if their Fortinet devices are vulnerable and in need of upgrading to a patched version.

Additional FortiSIEM Vulnerabilities Addressed

In a separate advisory, Fortinet also addressed two critical remote code execution vulnerabilities (CVE-2023-35081 and CVE-2023-35082) impacting its FortiSIEM product. Patches were released as covered by SecurityAffairs.

Admins are strongly urged to check their Fortinet VPN and firewall products for applicability of the above advisories, given active threats targeting these serious flaws impacting FortiOS and leaving systems exposed if exploited. Timely patching is recommended given evidence of attacks.

Advisories