Fortinet’s revelation of security vulnerabilities in its network security systems is causing a stir within the cybersecurity community. The vulnerabilities, classified as critical by Fortinet, are indicative of a serious threat to the security and operations of affected systems.
The two vulnerabilities, CVE-2024-21762 and CVE-2024-23313, have been identified as remote code execution vulnerabilities in FortiOS. These exploits have the potential to allow cyber threat actors to gain control over affected systems. Furthermore, Fortinet has confirmed that CVE-2024-21762 is already being exploited in the wild.
In response to Fortinet’s advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) has taken immediate action to address the situation. On February 9, 2024, CISA updated its Known Exploited Vulnerabilities (KEV) Catalog to include pertinent details about CVE-2024-21762. CISA has affirmed that this vulnerability, which affects multiple versions, is actively being exploited in attacks.
According to Fortinet, CVE-2024-21762 is an out-of-bounds write vulnerability detected in SSL VPN. This vulnerability allows remote unauthenticated actors to execute arbitrary code and commands through specially designed HTTP requests. On the other hand, CVE-2024-23113 is a format string bug found in the FortiOS Forti/gate to FortiManager protocol, enabling remote, unauthenticated actors to execute arbitrary code and commands.
These vulnerabilities affect various versions of FortiOS, encompassing 6.0, 6.2, 6.4, 7.0, 7.2, and 7.4. Fortinet has promptly released patches for each affected version, with the exception of version 6.0, for which users are advised to migrate to a newer version. Notably, FortiOS 7.6 has been confirmed to be unaffected by these vulnerabilities.
While Fortinet maintains a culture of researcher collaboration and transparency, the detection of these critical vulnerabilities has raised concerns among cybersecurity experts. CISA’s disclosure regarding a China-linked threat group exploiting vulnerabilities in network appliances has only served to exacerbate these concerns. The threat group, known as Volt Typhoon, has been implicated in the exploitation of vulnerabilities in various products, including those of Fortinet.
With the release of the details of the vulnerabilities, the cybersecurity community is on high alert, particularly in light of Volt Typhoon’s track record of maintaining access and footholds within victim IT environments for extended periods of time. There are growing concerns regarding the ease with which these vulnerabilities could be exploited and the potential for a Proof of Concept (PoC) disclosure to occur imminently.
For further insights into the implications of these security vulnerabilities, we turned to Mayuresh Dani, Manager of Security Research at Qualys Threat Research Unit. Mayuresh emphasized that the advanced notifications sent out by Fortinet to its partners indicate that the vulnerability might be easy to exploit and that a PoC disclosure could be imminent. With CVE-2024-21762 already included in the CISA KEV list and a high exploit code maturity ranking, Mayuresh warned of the possibility of non-user interaction required for exploitation and the lack of detailed information on how the vulnerability was discovered.
In conclusion, the successful exploitation of these critical vulnerabilities in Fortinet’s network security systems could have far-reaching consequences. The collaborative efforts of researchers, cybersecurity agencies, and industry experts will be crucial in ensuring that affected systems are promptly protected and secured from potential threats.