TR-81 - Critical FortiOS vulnerabilities in sslvpnd and fgfmd

Two critical vulnerabilities in FortiOS:

  • A out-of-bounds write vulnerability [CWE-787] in FortiOS allows a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests. FG-IR-24-015 - CVE-2024-21762
  • A use of externally-controlled format string vulnerability [CWE-134] in FortiOS fgfmd daemon allows a remote unauthentified attacker to execute arbitrary code or commands via specially crafted requests. FG-IR-24-029 - CVE-2024-23113

Recommendations

  • Check the Fortinet upgrade tool to determine which version to install.
  • If you are using SSL VPN in FortiOS, Fortinet recommends disabling the SSL VPN as a workaround.
  • CIRCL advises initiating an incident response procedure, reviewing all logs, and especially scrutinizing any potential access from the VPN to other internal infrastructure.

Vulnerable systems in Luxembourg and Exploitation

  • The number of exposed devices running FortiOS within the IPv4 ranges of Luxembourg exceeds 650. These devices vary widely in their versions. We strongly recommend that any users or organizations using FortiOS review their current inventory, test the version, and assess their actual exposure.
  • Fortinet/FortiGuard Labs has confirmed the exploitation of CVE-2024-21762/FG-IR-24-015.

Detection and Incident Response

  • As of now, there are no detection rules available for these two vulnerabilities.

References

Classification of this document

TLP:CLEAR information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.0 - TLP:CLEAR - First version - 9th February 2024 (may was removed from the original advisory as it’s exploited in the wild)