Fortinet has released critical security updates to address vulnerabilities within its FortiOS, specifically targeting remote code execution flaws identified as CVE-2024-21762 and CVE-2024-23313. The Cybersecurity and Infrastructure Security Agency (CISA) has also highlighted the active exploitation of CVE-2024-21762, urging both Federal Civilian Executive Branch (FCEB) agencies and other organizations to apply necessary patches to mitigate potential cyber threats.
- CVE-2024-21762 [FG-IR-24-015 FortiOS]: An out-of-bounds write vulnerability within the FortiOS Secure Socket Layer Virtual Private Network (SSL VPN) service, allowing remote unauthenticated actors to execute arbitrary commands via specially crafted HTTP requests. This vulnerability is currently being exploited in the wild and has a Critical severity rating with a CVSS score of 9.6. Affected versions include FortiOS 7.4 (before 7.4.2), 7.2 (before 7.2.6), 7.0 (before 7.0.13), 6.4 (before 6.4.14), and 6.2 (before 6.2.15).
- CVE-2024-23313 [FG-IR-24-029 FortiOS]: Another critical vulnerability with a CVSS score of 9.8, allowing remote code execution through an “externally-controlled format string vulnerability” within the FortiOS fgfmd daemon. This issue has not been reported as exploited in the wild yet.
Threat Actor Exploitation
The exploitation of CVE-2024-21762 has been attributed to advanced persistent threat (APT) groups, with indications of nation-state sponsorship. A report by Fortinet a day prior to the advisory release detailed an espionage campaign by China-backed actors, utilizing known vulnerabilities, including CVE-2024-21762, targeting critical infrastructure and government-adjacent industries. This underscores the strategic targeting by nation-state actors to exploit critical vulnerabilities for espionage and potentially disruptive purposes.
Remediation and Mitigation
Fortinet has issued patches for the affected versions of FortiOS. Organizations using affected versions are urged to upgrade to the latest patched versions immediately. For those unable to upgrade, disabling the SSL VPN service is recommended as a temporary workaround. Adherence to good cyber hygiene practices, including timely patching and following remediation guidance, is emphasized as the best defense against these vulnerabilities.
CISA Advisory and Directives
CISA has added CVE-2024-21762 to its Known Exploited Vulnerabilities Catalog, mandating FCEB agencies to patch the vulnerability by February 16, 2024. While BOD 22-01 specifically targets FCEB agencies, CISA strongly advises all organizations to prioritize the remediation of catalog vulnerabilities to reduce their exposure to cyberattacks.
Analysis and Recommendations
The exploitation of CVE-2024-21762, particularly its active use in the wild and the critical nature of the vulnerability, highlights the ongoing risk posed by unpatched systems. The advisory indicates the significant threat level and the sophistication of attackers exploiting these vulnerabilities. Organizations are recommended to:
- Immediately apply available patches for affected Fortinet products.
- Disable SSL VPN services if unable to patch immediately.
- Review and enhance monitoring for anomalous activity related to FortiOS devices.
- Consider the broader implications of nation-state actors exploiting such vulnerabilities and assess their cybersecurity posture accordingly.
The active exploitation of CVE-2024-21762 and the issuance of security advisories by Fortinet and CISA underscore the critical need for prompt and effective vulnerability management practices. The involvement of nation-state actors in exploiting these vulnerabilities adds a layer of complexity and urgency to the cybersecurity challenges faced by organizations globally. As such, adherence to recommended mitigation strategies and a proactive security posture are paramount in defending against these and future cybersecurity threats.
Stay safe and informed,