Published: 17 October 2024
Prepared by: Adam Skupien, Vulnerability Security Analyst
Updates in this blog feature changes to the https://www.triskelelabs.com/blog/cve-2024-21762-cve-2024-23113-multiple-fortios-vulnerabilities.
This bulletin addresses a recent report by the US Cybersecurity & Infrastructure Security Agency (CISA) of the active exploitation of a CRITICAL-risk vulnerability present in FortiNet FortiOS.
As this vulnerability allows potential attackers to perform Remote Code Execution (RCE), the Triskele Labs team advises that all organisations using affected versions of FortiOS should follow the remediation steps outlined in the subsequent sections.
This vulnerability is being tracked as CVE-2024-23113.
On 7 February 2024, (CISA) indicated that similar vulnerabilities in FortiOS network appliances were used by state-sponsored threat actors Volt Typhoon to establish initial access to organisation networks.
Additionally, FortiGuard Labs have advised that threat actors are potentially exploiting this vulnerability in the wild.
On 9 February 2024, the Australian Cyber Security Centre (ACSC) released a vulnerability disclosure focused on the related vulnerability CVE-2024-21762, recommending that all organisations patch the affected devices and disable SSL VPN.
On 9 October 2024, CISA added CVE-2024-23113 to its catalogue of Known Exploited Vulnerabilities (KEV) indicating confirmed reports of active exploitation.
On 8 February 2024, FortiGuard Labs published a vulnerability disclosure (FG-IR-24-029) reserved as CVE-2024-23113, impacting the following versions of FortiOS.
This vulnerability leverages an externally controlled format string attack vector, allowing an attacker to modify the format string in fgfmd daemon present in certain versions of FortiOS.
Using specially crafted requests, an unauthenticated attacker could initiate Remote Code Execution (RCE).
Several Proof-of-Concept exploits have been publicly released on Github for exploiting this vulnerability. Additionally, evidence that it's being exploited in the wild resulted in this vulnerability being added to the CISA KEV Catalogue on 9 October 2024.
The attack paths for this vulnerability could be used for data exfiltration, data encryption, or network traversal.
Due to the criticality of this vulnerability and their potential exploitation, devices using affected versions of FortiOS should be treated as an optimal target for a threat actor and patched as a priority for the business to prevent exfiltration of data and leakage of Personally Identifiable Information (PII) and other sensitive data.
The attack path to exploit this vulnerability has been classified by the National Vulnerability Database (NVD) as low complexity, with no privileges requirements for a threat actor to perform a successful exploit.
Triskele Labs recommends upgrading to the latest version of FortiOS immediately to ensure permanent mitigation. The upgrade paths in the table below, provided by FortiGuard Labs, can be used to mitigate this vulnerability using their tool located at https://docs.fortinet.com/upgrade-tool.
If you are utilising an instance of FortiOS listed as impacted by this vulnerability, Triskele Labs recommends reviewing the firewall logs for unusual activity, in case this vulnerability has already been exploited.
If this is the case, persistence may already be present, which an update will not remediate.
If an immediate update is not an option, a temporary workaround for CVE-2024-23113 is to remove access to FGFM from each interface. An example provided by FortiGuard Labs is listed below:
For each interface entry in the system:
config system interface
edit "portX"
set allowaccess ping https ssh fgfm
next
end
Modify this entry to the following:
config system interface
edit "portX"
set allowaccess ping https ssh
next
end
Please Note:
Implementing this workaround, which will continue to allow connections from the FortiGate device, will prevent FortiGate discovery from FortiManager.
Additionally, implementing a local-in policy that only allows FGFM connections from a specific IP address will reduce the attack surface, but the vulnerability could still be exploited from this IP address.
|
Version |
Affected Versions |
Solution |
|
FortiOS 7.0 |
7.0.0 through 7.0.13 |
Upgrade to 7.0.14 or above |
|
FortiOS 7.2 |
7.2.0 through 7.2.6 |
Upgrade to 7.2.7 or above |
|
FortiOS 7.4 |
7.4.0 through 7.4.2 |
Upgrade to 7.4.3 or above |
|
FortiPAM 1.0 |
1.0 all versions |
Migrate to a fixed release |
|
FortiPAM 1.1 |
1.1 all versions |
Migrate to a fixed release |
|
FortiPAM 1.2 |
1.2 all versions |
Migrate to a fixed release |
|
FortiProxy 7.0 |
7.0.0 through 7.0.15 |
Upgrade to 7.0.16 or above |
|
FortiProxy 7.2 |
7.2.0 through 7.2.8 |
Upgrade to 7.2.9 or above |
|
FortiProxy 7.4 |
7.4.0 through 7.4.2 |
Upgrade to 7.4.3 or above |
|
FortiWeb 7.4 |
7.4.0 through 7.4.2 |
Upgrade to 7.4.3 or above |
Currently, detection capabilities are limited to identifying the application's version number.
As Triskele Labs vendor partners release new detection logic, this bulletin will be updated with additional information.
Triskele Labs Security Operations Centre (SOC) customers with our Vulnerability Scanning service are being assessed currently. All customers with our Monitor service (24x7x365 Managed Detection and Response) are - as always - being monitored for IOCs and Lateral Movement.
References
