In Feb 2024, Fortigate patched 2 vulnerabilities in various devices one of which has been reported to be exploited in the wild.

CVE-2024-21762

This is an out-of-bound write vulnerability in the sslvpnd daemon, which could allow a remote unauthenticated attacker to execute arbitrary commands and code on the device. As its name suggests, sslvpnd daemon is responsible for SSL VPN connections. This vulnerability has been reported to be exploited in the wild and has a CVSS score of 9.6.

This vulnerability exists in binary handling the HTTP Transfer-Encoding header. In case, chunked value is used, the size of the data chunk, in hex, is prepended to the data sent. By modifying the chunk size, it is possible to cause unintentional memory access. A scanner is available online to check for vulnerable systems.

Vulnerable Products

S No.VersionAffectedSolution
1FortiOS 7.47.4.0 through 7.4.2Upgrade to 7.4.3 or above
2FortiOS 7.27.2.0 through 7.2.6Upgrade to 7.2.7 or above
3FortiOS 7.07.0.0 through 7.0.13Upgrade to 7.0.14 or above
4FortiOS 6.46.4.0 through 6.4.14Upgrade to 6.4.15 or above
5FortiOS 6.26.2.0 through 6.2.15Upgrade to 6.2.16 or above
6FortiOS 6.06.0.0 through 6.0.17Upgrade to 6.0.18 or above
7FortiProxy 7.47.4.0 through 7.4.2Upgrade to 7.4.3 or above
8FortiProxy 7.27.2.0 through 7.2.8Upgrade to 7.2.9 or above
9FortiProxy 7.07.0.0 through 7.0.14Upgrade to 7.0.15 or above
10FortiProxy 2.02.0.0 through 2.0.13Upgrade to 2.0.14 or above
11FortiProxy 1.21.2 all versionsMigrate to a fixed release
12FortiProxy 1.11.1 all versionsMigrate to a fixed release
13FortiProxy 1.01.0 all versionsMigrate to a fixed release

CVE-2024-23113

This is a format string vulnerability which could allow remote unauthenticated attackers to execute arbitrary code or  commands on the device. This vulnerability exists in the fgfmd daemon, which is responsible for communication between fortigate and fortimanager. The service on fortimanager listens for SSL connections over TCP port 541. This vulnerability has a CVSS score of 9.8.

Vulnerable Products

S No.VersionAffectedSolution
1FortiOS 7.47.4.0 through 7.4.2Upgrade to 7.4.3 or above
2FortiOS 7.27.2.0 through 7.2.6Upgrade to 7.2.7 or above
3FortiOS 7.07.0.0 through 7.0.13Upgrade to 7.0.14 or above
4FortiPAM 1.3Not affectedNot Applicable
5FortiPAM 1.21.2 all versionsMigrate to a fixed release
6FortiPAM 1.11.1 all versionsMigrate to a fixed release
7FortiPAM 1.01.0 all versionsMigrate to a fixed release
8FortiProxy 7.47.4.0 through 7.4.2Upgrade to 7.4.3 or above
9FortiProxy 7.27.2.0 through 7.2.8Upgrade to 7.2.9 or above
10FortiProxy 7.07.0.0 through 7.0.15Upgrade to 7.0.16 or above
11FortiWeb 7.47.4.0 through 7.4.2Upgrade to 7.4.3 or above

Further Reading

  1. https://www.fortiguard.com/psirt/FG-IR-24-029
  2. https://www.fortiguard.com/psirt/FG-IR-24-015
  3. https://github.com/BishopFox/cve-2024-21762-check/tree/main
  4. https://www.assetnote.io/resources/research/two-bytes-is-plenty-fortigate-rce-with-cve-2024-21762

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “Security Advisory – Vulnerabilities in Fortinet”