On 8 February 2024, Fortinet’s FortiGuard disclosed two critical vulnerabilities affecting FortiOS. CVE-2024-23113, a format string vulnerability, and CVE-2024-21762, an out-of-bounds write vulnerability, could allow unauthenticated threat actors to execute arbitrary code or commands. FortiGuard has stated they are aware of potential exploitation of CVE-2024-21762.
Details of the potential exploitation of CVE-2024-21762 have not been disclosed at the time of writing. Additionally, Arctic Wolf has not identified any public Proof of Concept (PoC) exploits for either of these vulnerabilities. Several FortiOS vulnerabilities have been exploited in the past, such as the remote code execution (RCE) vulnerability CVE-2023-27997, which was exploited by threat actors in 2023. Considering the potential for various malicious activities upon exploitation and past incidents involving FortiOS vulnerabilities, Arctic Wolf anticipates threat actors might target these vulnerabilities soon.
CVE-2023-34992
Fortinet has also recently has patched bypass variants for a critical vulnerability (CVE-2023-34992) disclosed in October 2023. These bypasses, tracked as CVE-2024-23108 and CVE-2023-24109 are critical vulnerabilities and can allow a remote unauthenticated threat actor to execute commands in various versions of FortiSIEM.
Recommendations for CVE-2024-21762 and CVE-2024-23113
Upgrade To a Fixed Version of FortiOS and FortiSIEM
Arctic Wolf strongly recommends upgrading to the latest patched versions of FortiOS and FortiSIEM to address these vulnerabilities. Below is a table outlining the affected and fixed versions:
Product | Vulnerability | Affected Version | Fixed Version |
FortiOS | CVE-2024-23113, CVE-2024-21762 | 7.4.0 through 7.4.2 | 7.4.3 or above |
CVE-2024-23113, CVE-2024-21762 | 7.2.0 through 7.2.6 | 7.2.7 or above | |
CVE-2024-23113, CVE-2024-21762 | 7.0.0 through 7.0.13 | 7.0.14 or above | |
CVE-2024-21762 | 6.4.0 through 6.4.14 | 6.4.15 or above | |
CVE-2024-21762 | 6.2.0 through 6.2.15 | 6.2.16 or above | |
CVE-2024-21762 | 6.0 all versions | Migrate to a fixed release | |
FortiSIEM | CVE-2023-34992, CVE-2024-23108, CVE-2024-23109 |
|
|
Please follow your organisation’s patching and testing guidelines to avoid any operational impact.
Workarounds
For users who are currently unable to perform patches, FortiGuard has provided the following workarounds:
Remove fgfm Access
For CVE-2024-23113, a temporary workaround is to remove fgfm access on each interface until the system can be patched. For the specific changes, review the FortiGuard advisory for CVE-2024-23113.
Disable SSL VPN
For CVE-2024-21762, disabling SSL VPN on FortiOS devices can mitigate the risk until the device can be updated to a fixed version.
References
- FortiGuard Advisory for CVE-2024-23113
- FortiGuard Advisory for CVE-2024-21762
- FortiGuard Advisory for CVE-2023-34992, CVE-2024-23108, and CVE-2024-23109
- AW Blog (CVE-2023-27997)
See other important security bulletins from Arctic Wolf.