On February 8, 2024 Fortinet disclosed multiple critical vulnerabilities affecting FortiOS, the operating system that runs on Fortigate SSL VPNs. The critical vulnerabilities include CVE-2024-21762, an out-of-bounds write vulnerability in SSLVPNd that could allow remote unauthenticated attackers to execute arbitrary code or commands on Fortinet SSL VPNs via specially crafted HTTP requests.
According to Fortinet’s advisory for CVE-2024-21762, the vulnerability is “potentially being exploited in the wild.” The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-21762 to their Known Exploited Vulnerabilities (KEV) list as of February 9, 2024, confirming that exploitation has occurred.
Zero-day vulnerabilities in Fortinet SSL VPNs have a history of being targeted by state-sponsored and other highly motivated threat actors. Other recent Fortinet SSL VPN vulnerabilities (e.g., CVE-2022-42475, CVE-2022-41328, and CVE-2023-27997) have been exploited by adversaries as both zero-day and as n-day following public disclosure.
Affected products
FortiOS versions vulnerable to CVE-2024-21762 include:
FortiOS 7.4.0 through 7.4.2
FortiOS 7.2.0 through 7.2.6
FortiOS 7.0.0 through 7.0.13
FortiOS 6.4.0 through 6.4.14
FortiOS 6.2.0 through 6.2.15
FortiOS 6.0 all versions
FortiProxy 7.4.0 through 7.4.2
FortiProxy 7.2.0 through 7.2.8
FortiProxy 7.0.0 through 7.0.14
FortiProxy 2.0.0 through 2.0.13
FortiProxy 1.2 all versions
FortiProxy 1.1 all versions
FortiProxy 1.0 all versions
Note: Fortinet’s advisory did not originally list FortiProxy as being vulnerable to this issue, but the bulletin was updated after publication to add affected FortiProxy versions.
Mitigation guidance
According to the Fortinet advisory, the following fixed versions remediate CVE-2024-21762:
FortiOS 7.4.3 or above
FortiOS 7.2.7 or above
FortiOS 7.0.14 or above
FortiOS 6.4.15 or above
FortiOS 6.2.16 or above
FortiOS 6.0 customers should migrate to a fixed release
FortiProxy 7.4.3 or above
FortiProxy 7.2.9 or above
FortiProxy 7.0.15 or above
FortiProxy 2.0.14 or above
FortiProxy 1.2, 1.1, and 1.0 customers should migrate to a fixed release
As a workaround, the advisory instructs customers to disable the SSL VPN with the added context that disabling the webmode is not a valid workaround. For more information and the latest updates, please refer to Fortinet’s advisory.
Rapid7 customers
InsightVM and Nexpose customers can assess their exposure to FortiOS CVE-2024-21762 with a vulnerability check available in the Friday, February 9 content release.
Source: Rapid7
Source Link: https://blog.rapid7.com/2024/02/12/etr-critical-fortinet-fortios-cve-2024-21762-exploited/