Skip to main content

Critical Vulnerabilities in Fortinet FortiOS (CVE-2024-21762 and CVE-2024-23113)

Advisory

Advisory
15 FEB 2024

 

Background

Fortinet has recently disclosed two critical vulnerabilities (CVE-2024-21762 and CVE-2024-23113) in Fortinet products that could be exploited to gain unauthorised access to affected systems.

CVE-2024-21762
A critical remote code execution (RCE) vulnerability affecting FortiOS, the operating system that runs on Fortigate SSL VPNs, allows a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted HTTP requests. This vulnerability is actively being exploited in the wild.

CVE-2024-23113
An externally-controlled format string vulnerability in FortiOS fgfmd daemon which may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.

 

Impact

  • Execute unauthorized code or commands
  • Corruption of sensitive data
  • System Crash

 

Affected Products

  • FortiOS 7.4.0 through 7.4.2 (CVE-2024-23113, CVE-2024-21762)
  • FortiOS 7.2.0 through 7.2.6 (CVE-2024-23113, CVE-2024-21762)
  • FortiOS 7.0.0 through 7.0.13 (CVE-2024-23113, CVE-2024-21762)
  • FortiOS 6.4.0 through 6.4.14 (CVE-2024-21762)
  • FortiOS 6.2.0 through 6.2.15 (CVE-2024-21762)
  • FortiOS 6.0 all versions (CVE-2024-21762)
  • FortiProxy 7.4.0 through 7.4.2 (CVE-2024-21762)
  • FortiProxy 7.2.0 through 7.2.8 (CVE-2024-21762)
  • FortiProxy 7.0.0 through 7.0.14 (CVE-2024-21762)
  • FortiProxy 2.0.0 through 2.0.13 (CVE-2024-21762)
  • FortiProxy 1.2 all versions (CVE-2024-21762)
  • FortiProxy 1.1 all versions (CVE-2024-21762)
  • FortiProxy 1.0 all versions (CVE-2024-21762)

 

Recommendations

It is recommended to upgrade to the latest version and migrate to a fixed release provided by Fortinet.

CVE-2024-21762
Disabling SSL VPN on FortiOS devices can mitigate the risk until the device can be updated to a fixed version.

CVE-2024-23113
Remove fgfm Access on each interface until the system can be patched.

 

References