On Thursday, Fortinet announced two new, critical vulnerabilities in devices running FortiOS. Successful exploitation of either of these announced vulnerabilities leads to remote code execution.
If critical vulnerabilities weren’t bad enough, Fortinet has evidence of possible exploitation “in the wild” of CVE-2024-21762. Considering the nature of this vulnerability in that it affects typically public-facing sslvpn services, malicious scans and exploitation attempts will likely begin en masse.
Impacted Versions, Available Patches, and Workarounds
Impacted FortiOS versions for CVE-2024-21762 include 6.0, 6.2, 6.4, 7.0, 7.2 and 7.4. Patches are available for FortiOS versions 6.2 through 7.4. FortiOS version 6.0 has reached EoL and will not be receiving a patch. For those of you still running 6.0, it is recommended to migrate to a fixed release or completely disable the SSL VPN service (as recommended by Fortinet).
Impacted FortiOS versions for CVE-2024-23113 include 7.0, 7.2, 7.3 with patches available for each version.
What That Means
Both of the announced vulnerabilities result in remote code execution. Exploits that result in RCE are among the highest rated security issues and practically give attackers full control over the exploited device. They can create users, make configuration changes, or even pivot to simply deploying a second stage malware attack. In fact, it was just recently reported by The Netherlands National Cyber Security Center (NCSC) that threat actors were abusing an older Fortigate vulnerability (CVE-2022-42475) to deploy a remote access trojan dubbed COATHANGER. While there is no evidence that these new vulnerabilities have been used to deploy this malware, it is certainly possible.
Organizations running Fortinet devices should begin reviewing patch levels of their devices and start planning to update as soon as possible. As has been noted by Fortinet, CVE-2024-21762 shows evidence of being exploited in the wild. Considering too that checking for and triggering this exploit can be completed with a simple http request, it is likely we’ll see this being widely and frequently abused. Luckily, no publicly available exploits have been uncovered yet, so that creates a *small* barrier to exploitation, but that’s almost like saying a single piece of scotch tape will keep a cracked dam from busting wide open.
CVE-2024-23113 is getting easily outshone by CVE-2024-21762, but should also not be taken lightly. Details are light at this time, but I think 23113 is getting the backseat here a bit is likely due to several factors such as no active exploitation, the exploit seems more geared towards internal attacks, and just the sheer amount of organizations running SSLVPN likely outnumbers those affected by the bug with fgfmd. However, the fact that this vulnerability could also result in remote code execution makes it just as important to patch as 21762.
What Should I Do
Patches should be applied as soon as possible in this instance. If patching is not an option, then consider one of the approved workarounds as a temporary solution until patching can be completed. If you are running unsupported versions, it’s time to bite the bullet and make the upgrade to a newer version.
How Would I Know
Details are light at this time, so it’s difficult to identify active attacks or compromised devices. With details being so light, we can only really recommend the basics:
- Monitor for suspicious incoming traffic, specifically HTTP requests
- Monitor changes to FortiOS configurations
- New user creations or unusual activity from existing accounts
- Unusual administrative commands
- Unusual or suspicious User/Administrator logins – unusual location, login without MFA (if enabled), etc
Blumira can help!
We have several existing detections as well as global reports that can be used to track everything going on with your Fortinet devices. We will also continue to monitor the situation and deploy additional detections and reports as needed.
- Fortigate Firmware Available
- Fortigate: Successful Admin Login from External IP Address
- Fortigate: SSL-VPN pre-auth RCE CVE-2022-42475
- Fortigate: Authentication Bypass CVE-2022-40684
- Fortigate: Failed Admin Login from External IP Address
- Fortigate: Configuration Change
- Fortigate SSLVPN Anomalous Access Attempts
- Fortigate: Failed Admin Management Login from External IP
- Fortigate: Successful Admin Management Login from External IP
- Fortigate: System Configuration changes
- Fortigate: VPN – successful logins