In Feb 2024, Fortigate patched 2 vulnerabilities in various devices one of which has been reported to be exploited in the wild.
CVE-2024-21762
This is an out-of-bound write vulnerability in the sslvpnd daemon, which could allow a remote unauthenticated attacker to execute arbitrary commands and code on the device. As its name suggests, sslvpnd daemon is responsible for SSL VPN connections. This vulnerability has been reported to be exploited in the wild and has a CVSS score of 9.6.
This vulnerability exists in binary handling the HTTP Transfer-Encoding header. In case, chunked value is used, the size of the data chunk, in hex, is prepended to the data sent. By modifying the chunk size, it is possible to cause unintentional memory access. A scanner is available online to check for vulnerable systems.
Vulnerable Products –
| S No. | Version | Affected | Solution |
| 1 | FortiOS 7.4 | 7.4.0 through 7.4.2 | Upgrade to 7.4.3 or above |
| 2 | FortiOS 7.2 | 7.2.0 through 7.2.6 | Upgrade to 7.2.7 or above |
| 3 | FortiOS 7.0 | 7.0.0 through 7.0.13 | Upgrade to 7.0.14 or above |
| 4 | FortiOS 6.4 | 6.4.0 through 6.4.14 | Upgrade to 6.4.15 or above |
| 5 | FortiOS 6.2 | 6.2.0 through 6.2.15 | Upgrade to 6.2.16 or above |
| 6 | FortiOS 6.0 | 6.0.0 through 6.0.17 | Upgrade to 6.0.18 or above |
| 7 | FortiProxy 7.4 | 7.4.0 through 7.4.2 | Upgrade to 7.4.3 or above |
| 8 | FortiProxy 7.2 | 7.2.0 through 7.2.8 | Upgrade to 7.2.9 or above |
| 9 | FortiProxy 7.0 | 7.0.0 through 7.0.14 | Upgrade to 7.0.15 or above |
| 10 | FortiProxy 2.0 | 2.0.0 through 2.0.13 | Upgrade to 2.0.14 or above |
| 11 | FortiProxy 1.2 | 1.2 all versions | Migrate to a fixed release |
| 12 | FortiProxy 1.1 | 1.1 all versions | Migrate to a fixed release |
| 13 | FortiProxy 1.0 | 1.0 all versions | Migrate to a fixed release |
CVE-2024-23113
This is a format string vulnerability which could allow remote unauthenticated attackers to execute arbitrary code or commands on the device. This vulnerability exists in the fgfmd daemon, which is responsible for communication between fortigate and fortimanager. The service on fortimanager listens for SSL connections over TCP port 541. This vulnerability has a CVSS score of 9.8.
Vulnerable Products –
| S No. | Version | Affected | Solution |
| 1 | FortiOS 7.4 | 7.4.0 through 7.4.2 | Upgrade to 7.4.3 or above |
| 2 | FortiOS 7.2 | 7.2.0 through 7.2.6 | Upgrade to 7.2.7 or above |
| 3 | FortiOS 7.0 | 7.0.0 through 7.0.13 | Upgrade to 7.0.14 or above |
| 4 | FortiPAM 1.3 | Not affected | Not Applicable |
| 5 | FortiPAM 1.2 | 1.2 all versions | Migrate to a fixed release |
| 6 | FortiPAM 1.1 | 1.1 all versions | Migrate to a fixed release |
| 7 | FortiPAM 1.0 | 1.0 all versions | Migrate to a fixed release |
| 8 | FortiProxy 7.4 | 7.4.0 through 7.4.2 | Upgrade to 7.4.3 or above |
| 9 | FortiProxy 7.2 | 7.2.0 through 7.2.8 | Upgrade to 7.2.9 or above |
| 10 | FortiProxy 7.0 | 7.0.0 through 7.0.15 | Upgrade to 7.0.16 or above |
| 11 | FortiWeb 7.4 | 7.4.0 through 7.4.2 | Upgrade to 7.4.3 or above |
Further Reading