A recent vulnerability in SSL VPNs used by Fortinet has raised concerns about potential security breaches, leading to warnings about possible nation-state exploitation of the vulnerabilities. The vulnerability, identified as CVE-2024-21762, has the potential to allow attackers to access and exploit systems on secure connections to private organization networks.
The affected FortiOS versions include 7.4 (before 7.4.2), 7.2 (before 7.2.6), 7.0 (before 7.0.13), 6.4 (before 6.4.14), 6.2 (before 6.2.15), and all versions of 6.0. While patches have been released for the vulnerability with the successive updates of Fortinet versions 6.2, 6.4, 7.0, 7.2, and 7.4, it is important to note that versions 7.6 is not affected by this vulnerability. However, for those users who are unable to upgrade to the patched versions, the advised workaround is to disable SSL VPN.
Additionally, Fortinet has issued a warning about another critical vulnerability, tracked under CVE-2024-23113, with a CVSS score of 9.8. This vulnerability allows for remote code execution (RCE) by exploiting the “externally-controlled format string vulnerability” in the FortiOS fgfmd daemon, which is another secure connection authentication module. At present, no known exploitations of this vulnerability have been reported.
The warning from Fortinet also includes highlighting the tactics, techniques, and procedures (TTPs) used by a China-backed threat actor known as Volt Typhoon. It is reported that this threat actor has been exploiting Fortinet’s known vulnerabilities to gain initial access to target systems. Specifically, Chinese hackers are suspected to have exploited Fortinet N-days disclosed in December 2022 (CVE-2022-42475) and June 2023 (CVE-2023-27997) to target critical infrastructure organizations. As part of the investigation into these incidents, it was discovered that living-off-the-land (LOTL) binaries consistent with Volt Typhoon’s TTPs were used.
These warnings from Fortinet about potential nation-state exploitations serve as a stark reminder of the evolving threats to cybersecurity and the critical need for organizations to prioritize security measures. The vulnerabilities in SSL VPNs and Fortinet’s security modules underscore the importance of staying vigilant and promptly addressing any potential vulnerabilities to prevent exploitation by threat actors.
In response to these warnings, organizations using Fortinet’s products are urged to ensure that they have updated to the latest patched versions of the software to safeguard against potential security risks. It is crucial for businesses and institutions to prioritize cybersecurity measures and to stay informed about emerging threats and vulnerabilities in order to protect sensitive data and networks. Additionally, the ongoing monitoring and response to cybersecurity threats, including those originating from nation-state actors, are essential components of a comprehensive security strategy. By taking proactive steps to address these vulnerabilities and potential exploit risks, organizations can help mitigate the potential impact of cyber attacks.