Fortinet FortiOS vulnerability: How to defend against CVE-2024-21762

Earlier this month, cybersecurity giant Fortinet published an advisory urging its customers to patch a vulnerability in the SSL VPN functionality of FortiOS and FortiProxy. The advisory states the vulnerability is “potentially being exploited in the wild.” A day after Fortinet published the advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) confirmed that exploitation of CVE-2024-21762 indeed occurred in the wild; they added it to its Known Exploited Vulnerabilities (KEV) catalog and instructed federal civilian agencies to upgrade their vulnerable Fortinet products.

The quick response from CISA is unsurprising, given that the popular Fortinet SSL VPNs have often been targeted by state-sponsored Advanced Persistent Threat (APT) groups. Another FortiOS vulnerability made headlines last year when a Chinese APT group allegedly used CVE-2023-27997 to infiltrate and compromise critical civilian and military infrastructure in Guam, a U.S. island territory in the Western Pacific.

The vulnerability

According to FortiNet’s advisory, CVE-2024-21762 could allow “a remote unauthenticated attacker to execute arbitrary code or command via a specially crafted HTTP requested.” The vulnerability received a CVSS 3.1 base score of 9.6 out of 10 and is therefore considered critical severity.

It affects FortiOS versions:

• all 6.0 versions
• 6.2.0 through 6.2.15,
• 6.4.0 through 6.4.14,
• 7.0.0 through 7.0.13,
• 7.2.0 through 7.2.6 and 7.4.0 through 7.4.2.

The vulnerable FortiProxy versions are

• all 1.2 versions,
• 2.0.0 through 2.0.13,
• 7.0.0 through 7.0.14,
• 7.2.0 through 7.2.8,
• and 7.4.0 through 7.4.2.

This threat stems from an out-of-bounds write vulnerability, which is not only a common flaw but is a very dangerous one when abused. MITRE has said out-of-bounds-write (CWE-787) vulnerabilities topped the list of the most dangerous software vulnerabilities in the last three years. An out-of-bounds write happens when software alters memory it’s not supposed to, such as by writing data to a memory buffer and overshooting the end of that buffer, causing it to change other variables and information or crash unexpectedly. This kind of bug can be triggered accidentally through normal operation, or it can be triggered deliberately by exploit code, like in the case of CVE-2024-21762.

Current solution

Fortinet advises customers to upgrade their FortiOS devices to the following versions:

• FortiOS 6.0 versions should upgrade to 6.2.16 and above,
• 6.4 versions should upgrade to 6.4.15 and above,
• 7.0 versions should upgrade to 7.0.14 and above,
• 7.2 versions should upgrade to 7.2.7 and above,
• and 7.4 versions should upgrade to 7.4.3.

Fortinet advises customers to upgrade their FortiProxy devices to the following versions:

• FortyProxy 2.0 versions should upgrade to 2.0.14 and above,
• 7.0 versions should upgrade to 7.0.15 and above,
• 7.2 versions should upgrade to 7.2.9 and above,
• and 7.4 versions should upgrade to 7.4.3 and above.

Customers who cannot upgrade their FortiOS and FortiProxy systems are advised to disable the SSL VPN functionality in the affected products.

How Skybox helps

The Skybox Research Lab added this vulnerability to our threat intelligence feed shortly after the discovery was made public.

Skybox customers with FortiOS in their organization network can detect the vulnerability through our Vulnerability and Threat Management solution’s vulnerability discovery capabilities. Information on fixed versions and a workaround is provided in the feed; additionally, a custom risk score is provided based on the exposure level of the vulnerable assets to the attack vector of CVE-2024-21762. Skybox threat intelligence also provides information on additional mitigation possibilities. It prescribes compensating security controls, such as an IPS signature or firewall rule modification, to mitigate exposure risk on the customer’s network.