Earlier this month, cybersecurity giant Fortinet published an advisory urging its customers to patch a vulnerability in the SSL VPN functionality of FortiOS and FortiProxy. The advisory states the vulnerability is “potentially being exploited in the wild.” A day after Fortinet published the advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) confirmed that exploitation of CVE-2024-21762 indeed occurred in the wild; they added it to its Known Exploited Vulnerabilities (KEV) catalog and instructed federal civilian agencies to upgrade their vulnerable Fortinet products.
The quick response from CISA is unsurprising, given that the popular Fortinet SSL VPNs have often been targeted by state-sponsored Advanced Persistent Threat (APT) groups. Another FortiOS vulnerability made headlines last year when a Chinese APT group allegedly used CVE-2023-27997 to infiltrate and compromise critical civilian and military infrastructure in Guam, a U.S. island territory in the Western Pacific.
The vulnerability
According to FortiNet’s advisory, CVE-2024-21762 could allow “a remote unauthenticated attacker to execute arbitrary code or command via a specially crafted HTTP requested.” The vulnerability received a CVSS 3.1 base score of 9.6 out of 10 and is therefore considered critical severity.
It affects FortiOS versions:
- all 6.0 versions
- 6.2.0 through 6.2.15,
- 6.4.0 through 6.4.14,
- 7.0.0 through 7.0.13,
- 7.2.0 through 7.2.6 and 7.4.0 through 7.4.2.
The vulnerable FortiProxy versions are
- all 1.2 versions,
- 2.0.0 through 2.0.13,
- 7.0.0 through 7.0.14,
- 7.2.0 through 7.2.8,
- and 7.4.0 through 7.4.2.
This threat stems from an out-of-bounds write vulnerability, which is not only a common flaw but is a very dangerous one when abused. MITRE has said out-of-bounds-write (CWE-787) vulnerabilities topped the list of the most dangerous software vulnerabilities in the last three years. An out-of-bounds write happens when software alters memory it’s not supposed to, such as by writing data to a memory buffer and overshooting the end of that buffer, causing it to change other variables and information or crash unexpectedly. This kind of bug can be triggered accidentally through normal operation, or it can be triggered deliberately by exploit code, like in the case of CVE-2024-21762.
Current solution
Fortinet advises customers to upgrade their FortiOS devices to the following versions:
- FortiOS 6.0 versions should upgrade to 6.2.16 and above,
- 6.4 versions should upgrade to 6.4.15 and above,
- 7.0 versions should upgrade to 7.0.14 and above,
- 7.2 versions should upgrade to 7.2.7 and above,
- and 7.4 versions should upgrade to 7.4.3.
Fortinet advises customers to upgrade their FortiProxy devices to the following versions:
- FortyProxy 2.0 versions should upgrade to 2.0.14 and above,
- 7.0 versions should upgrade to 7.0.15 and above,
- 7.2 versions should upgrade to 7.2.9 and above,
- and 7.4 versions should upgrade to 7.4.3 and above.
Customers who cannot upgrade their FortiOS and FortiProxy systems are advised to disable the SSL VPN functionality in the affected products.