Alert essentials: New FortiOS vulnerabilities have been reported, one of which may be weaponized or leveraged by attackers to jeopardize your data’s confidentiality, integrity, and availability. Upgrade vulnerable software versions immediately to protect against exploitation.
Detailed threat description: Four SSL VPN vulnerabilities have been discovered in FortiOS, and Fortinet states that one is potentially being exploited in the wild.CVE-2024-21762 is an out-of-bounds write vulnerability that could allow an attacker to execute arbitrary code. Details on the exploitation and specifics on how the flaw is being weaponized have not been released.
Historically, attackers have targeted Fortinet vulnerabilities. Another SSL VPN vulnerability was exploited in FortiOS as recently as December 2023. APT threat groups from China are known for destructive cyber activity against the U.S. through vulnerabilities and living off the land techniques.
Recently, government agencies have warned that Chinese hackers are positioning themselves for malicious cyber activity on IT networks in the event of a crisis or conflict with the U.S.
Protect infrastructures and valuable data by immediately upgrading FortiOS versions on any vulnerable devices.
Impacts on healthcare organizations: A hacker can compromise an entire IT network with this vulnerability. Potentially impacting life-saving technology or making vital technologies unavailable.
Affected products / versions:
- FortiOS 7.4.0 through 7.4.2
- FortiOS 7.2.0 through 7.2.6
- FortiOS 7.0.0 through 7.0.13
- FortiOS 6.4.0 through 6.4.14
- FortiOS 6.2.0 through 6.2.15
- FortiOS 6.0 all versions
- FortiProxy 7.4.0 through 7.4.2
- FortiProxy 7.2.0 through 7.2.8
- FortiProxy 7.0.0 through 7.0.14
- FortiProxy 2.0.0 through 2.0.13
- FortiProxy 1.2 all versions
- FortiProxy 1.1 all versions
- FortiProxy 1.0 all versions
CVEs
- CVE-2024-21762
- CVE-2024-23113
- CVE-2023-44487
- CVE-2023-47537
Recommendations
Engineering recommendations:
- Update software versions on all vulnerable FortiOS devices
- Disabling webmode is NOT a valid workaround
- Workaround: disable SSL VPN
Leadership / program recommendations:
- Multiple nation-state threat actors have exploited vulnerabilities in Fortinet devices
- Fortinet vulnerabilities have been included as part of the top routinely exploited vulnerabilities lists over the last few years that have been published by the Cybersecurity and Infrastructure Security Agency (CISA) in partnership with other U.S. and international agencies
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- Fortinet: PSIRT | FortiGuard
- https://www.tenable.com/blog/cve-2024-21762-critical-fortinet-fortios-out-of-bound-write-ssl-vpn-vulnerability
- https://www.reuters.com/technology/cybersecurity/chinese-hackers-are-targeting-us-infrastructure-fbi-chief-testify-2024-01-31/
- https://www.cisa.gov/news-events/alerts/2024/02/09/fortinet-releases-security-advisories-fortios
- https://www.cisa.gov/topics/cyber-threats-and-advisories/nation-state-cyber-actors/china/publications
- https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/