FortiOS SSL VPN now has a new, serious security flaw, according to Fortinet, which is probably being used in the wild.
The CVE-2024-21762 ( CVSS score: 9.6 ) vulnerability enables the execution of arbitrary commands and code.
A remote, unauthenticated attacker may be able to execute arbitrary code or command via specially crafted HTTP requests thanks to an out-of-bounds write vulnerability [CWE- 787 ] in FortiOS, according to a bulletin the company released on Thursday.
Without providing any additional information about how or by whom the problem is being weaponized, it further acknowledged that it is “potentially being exploited in the wild.”
The vulnerability has an effect on the following versions. FortiOS 7.6 is unaffected, which is important to note.
- Upgrade to version 7.4.3 or higher for FortiOS 7.4 (versions 7.4.0 through 7.4.2 ).
- Upgrade to version 7.2.7 or higher for FortiOS 7.2 (versions 7.2.0 through 7.2.6 ).
- Upgrade to version 7.0 or higher of FortiOS 7.0 (versions 7.0.0 through 7.0.13 ).
- Upgrade to version 6. 4.15 or higher for FortiOS 6. 4 (versions 6.4.0 through 6.4.14 ).
- Upgrade to version 6.2.16 or higher for FortiOS 6.2 (versions 6.2.0 through 6.2.15 ).
- Move to a fixed release of FortiOS 6 (versions 6 all versions )
The change was made as a result of Fortinet’s patching of CVE-2024-23108 and FortiSIEM supervisor, which gave remote, unauthenticated attackers access to crafted API requests and allowed them to run unauthorized commands.
The Dutch government revealed earlier this week that Chinese state-sponsored actors used known flaws in Fortinet FortiGate devices to deliver a backdoor known as COATHANGER to infiltrate the armed forces ‘ computer network.
In a report released this week, the company revealed that numerous activity clusters are targeting governments, service providers, consultancies, manufacturing companies, and sizable critical infrastructure organizations by taking advantage of N-day security vulnerabilities in its software, such as CVE-2022-42475.
Chinese threat actors have previously been associated with the zero-day delivery of a variety of implants, including BOLDMOVE, THINCRUST, and CASTLETAP, using security flaws in Fortinet appliances.
Additionally, it comes in response to a U.S. government advisory regarding the Volt Typhoon Chinese nation-state group, which has targeted crucial infrastructure in the nation for long-term undiscovered persistence by exploiting known and zero-day networking appliance flaws like those from Fortinet, Ivanti Connect Secure, NETGEAR, Citrix, and Cisco for initial access.
China, which has refuted the claims, charged that the United States carried out its own cyberattacks.
The campaigns launched by China and Russia, if anything, highlight the growing danger that internet-facing edge devices are currently facing because they lack endpoint detection and response ( EDR) support, making them vulnerable to abuse.
According to Fortinet,” these attacks show the use of already fixed N-day vulnerabilities and subsequent [living-off-the-land ] techniques, which are highly indicative of the behavior used by the cyber actor or group known as Volt Typhoon, who has been using these methods to target critical infrastructure and possibly other adjacent actors.”
CISA Confirms CVE Exploitation, 2024–21762.
CVE-2024-21762 was added to the Known Exploited Vulnerabilities (KEV ) catalog by the U.S. Cybersecurity and Infrastructure Security Agency ( CISA ) on February 9, 2024, citing evidence of active wild exploitation.
In order to protect their networks from potential threats, Federal Civilian Executive Branch (FCEB ) agencies have been ordered to implement the fixes by February 16, 2024.