Fortinet warns of a new actively exploited RCE flaw in FortiOS SSL VPN

Pierluigi Paganini February 09, 2024

Fortinet warns that the recently discovered critical remote code execution flaw in FortiOS SSL VPN, tracked CVE-2024-21762, is being actively exploited.

Fortinet is warning that the recently discovered critical remote code execution vulnerability in FortiOS SSL VPN, tracked as CVE-2024-21762 (CVSS score 9.6), is actively exploited in attacks in the wild.

The security firm did not provide details about the attacks exploiting this vulnerability.

The issue is an out-of-bounds write vulnerability that can be exploited by sending specially crafted HTTP requests to vulnerable instances. The vendor recommends to disable SSL VPN as a workaround.

“A out-of-bounds write vulnerability [CWE-787] in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests.” reads the advisory.

“Workaround : disable SSL VPN (disable webmode is NOT a valid workaround). Note: This is potentially being exploited in the wild.”

The following table includes the list of the impacted versions and the available versions that solve the issue.

FortiOS 7.6Not affectedNot Applicable
FortiOS through 7.4.2Upgrade to 7.4.3 or above
FortiOS through 7.2.6Upgrade to 7.2.7 or above
FortiOS through 7.0.13Upgrade to 7.0.14 or above
FortiOS through 6.4.14Upgrade to 6.4.15 or above
FortiOS through 6.2.15Upgrade to 6.2.16 or above
FortiOS 6.06.0 all versionsMigrate to a fixed release

The security firm also addressed another critical flaw in FortiOS, tracked as CVE-2024-23113 (CVSS score 9.8).

“A use of externally-controlled format string vulnerability [CWE-134] in FortiOS fgfmd daemon may allow a remote unauthentified attacker to execute arbitrary code or commands via specially crafted requests.” reads the advisory.

The good news is that the vendor is not aware of attacks in the wild exploiting this flaw.

Vulnerabilities in Fortinet devices are often exploited by threat actors in the wild.

In December 2023, Fortinet urged its customers to update their installs to address an actively exploited FortiOS SSL-VPN vulnerability, tracked as CVE-2022-42475, that could be exploited by an unauthenticated, remote attacker to execute arbitrary code on devices.

The CVE-2022-42475 flaw is a heap-based buffer overflow weakness that resides in FortiOS sslvpnd that allowed unauthenticated attackers to crash targeted devices remotely or gain remote code execution

This week, the Dutch Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) published a joint report warning that a China-linked APT group breached the Dutch Ministry of Defence last year. The effects of the attack were limited because of the network segmentation implemented in the government infrastructure.

The government experts discovered a previously unpublished remote access trojan (RAT), tracked as COATHANGER, specifically designed to target Fortigate appliances. The RAT is used as second-stage malware, the experts pointed out that it doesn’t exploit a new vulnerability. COATHANGER is a stealthy malware that hooks system calls that could reveal its presence. The malware survives reboots and firmware upgrades.

The attack chain starts with the exploitation of the CVE-2022-42475 vulnerability for FortiGate devices.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet)

you might also like

leave a comment