CVE-2024-21762 - FortiOS Out of bounds write vulnerability / CVE-2024-23113 FortiOS format string vulnerability

by Critical Insight on February 12, 2024

This advisory is for organizations that use Fortinet products. If you do not use Fortinet products, this advisory may be discarded.

Summary

Fortinet has released patches to address two vulnerabilities. Both CVEs 2024-21762 and 2024-23113 are considered to be critical and easy to exploit for remote attackers. It should be assumed that threat actors are actively hunting for opportunities to leverage these vulnerabilities to access and compromise organizational networks. CISA has added the vulnerability CVE-2024-21762 to their catalog of known exploited vulnerabilities catalog. Fortinet warns that 2024-21762 has been noted to be exploited in the wild.

CVE-2024-21762 – Out of Bounds write in sslvpnd

CVSSv3.1: 9.8

Invalid parameter validations present within FortiOS and FortiProxy SSL-VPN may allow an unauthenticated, remote attacker to send an HTTP request crafted to trigger an out of bounds write, permitting them to execute arbitrary code.

CVE-2024-23113

CVSSv3: 9.8 - Format string bug in fgfmd

Format string vulnerability is present in the FortiOS fgfmd daemon, which is the FortiGate FortiManager and is enabled by default. This may allow and unauthenticated remote attacker to send tailored requests to execute arbitrary code.

Affected Platforms and Mitigations

CVE-2024-21762

Prioritize patching. No additional mitigations are noted.

Version	Affected	Solution
FortiOS 7.6	Not affected	Not Applicable
FortiOS 7.4	7.4.0 through 7.4.2	Upgrade to 7.4.3 or above
FortiOS 7.2	7.2.0 through 7.2.6	Upgrade to 7.2.7 or above
FortiOS 7.0	7.0.0 through 7.0.13	Upgrade to 7.0.14 or above
FortiOS 6.4	6.4.0 through 6.4.14	Upgrade to 6.4.15 or above
FortiOS 6.2	6.2.0 through 6.2.15	Upgrade to 6.2.16 or above
FortiOS 6.0	6.0 all versions	Migrate to a fixed release
FortiProxy 7.4	7.4.0 through 7.4.2	Upgrade to 7.4.3 or above
FortiProxy 7.2	7.2.0 through 7.2.8	Upgrade to 7.2.9 or above
FortiProxy 7.0	7.0.0 through 7.0.14	Upgrade to 7.0.15 or above
FortiProxy 2.0	2.0.0 through 2.0.13	Upgrade to 2.0.14 or above
FortiProxy 1.2	1.2 all versions	Migrate to a fixed release
FortiProxy 1.1	1.1 all versions	Migrate to a fixed release
FortiProxy 1.0	1.0 all versions	Migrate to a fixed release

CVE-2024-23313

Fortinet notes that the additional mitigations below may be implemented:

A “local in” policy that only allows connections from a specific IP will “reduce the attack surface but it won’t prevent the vulnerability from being exploited”
The fgfm access may be removed from each interface
Patches should be prioritized to address the vulnerability

Version	Affected	Solution
FortiOS 7.4	7.4.0 through 7.4.2	Upgrade to 7.4.3 or above
FortiOS 7.2	7.2.0 through 7.2.6	Upgrade to 7.2.7 or above
FortiOS 7.0	7.0.0 through 7.0.13	Upgrade to 7.0.14 or above
FortiPAM 1.2	1.2.0	Upgrade to 1.2.1 or above
FortiPAM 1.1	1.1.0 through 1.1.2	Upgrade to 1.1.3 or above
FortiPAM 1.0	1.0 all versions	Migrate to a fixed release
FortiProxy 7.4	7.4.0 through 7.4.2	Upgrade to 7.4.3 or above
FortiProxy 7.2	7.2.0 through 7.2.8	Upgrade to 7.2.9 or above
FortiProxy 7.0	7.0.0 through 7.0.14	Upgrade to 7.0.16 or above
FortiSwitchManager 7.2	7.2.0 through 7.2.3	Upgrade to 7.2.4 or above
FortiSwitchManager 7.0	7.0.0 through 7.0.3	Upgrade to 7.0.4 or above