Critical Vulnerabilities in Fortinet FortiOS

BACKGROUND

Fortinet has recently disclosed two critical vulnerabilities (CVE-2024-21762 and CVE-2024-23113) in
Fortinet products that could be exploited to gain unauthorised access to affected systems.
 

CVE-2024-21762
A critical remote code execution (RCE) vulnerability affecting FortiOS, the operating system that runs on
Fortigate SSL VPNs, allows a remote unauthenticated attacker to execute arbitrary code or commands via 
specially crafted HTTP requests. This vulnerability is actively being exploited in the wild.

CVE-2024-23113
An externally-controlled format string vulnerability in FortiOS fgfmd daemon which may allow a remote 
unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.

IMPACT

  •  Execute unauthorized code or commands
  •  Corruption of sensitive data
  •  System Crash

AFFECTED PRODUCTS

  •  FortiOS 7.4.0 through 7.4.2 (CVE-2024-23113, CVE-2024-21762)
  •  FortiOS 7.2.0 through 7.2.6 (CVE-2024-23113, CVE-2024-21762)
  •  FortiOS 7.0.0 through 7.0.13 (CVE-2024-23113, CVE-2024-21762)
  •  FortiOS 6.4.0 through 6.4.14 (CVE-2024-21762)
  •  FortiOS 6.2.0 through 6.2.15 (CVE-2024-21762)
  •  FortiOS 6.0 all versions (CVE-2024-21762)
  •  FortiProxy 7.4.0 through 7.4.2 (CVE-2024-21762)
  •  FortiProxy 7.2.0 through 7.2.8 (CVE-2024-21762)
  •  FortiProxy 7.0.0 through 7.0.14 (CVE-2024-21762)
  •  FortiProxy 2.0.0 through 2.0.13 (CVE-2024-21762)
  •  FortiProxy 1.2 all versions (CVE-2024-21762)
  •  FortiProxy 1.1 all versions (CVE-2024-21762)
  •  FortiProxy 1.0 all versions (CVE-2024-21762)

RECOMMENDATIONS
It is recommended to upgrade to the latest version and migrate to a fixed release provided by Fortinet.

CVE-2024-21762

  •  Disabling SSL VPN on FortiOS devices can mitigate the risk until the device can be updated to a fixed version.

CVE-2024-23113

  •  Remove fgfm Access on each interface until the system can be patched.