Once again, FortiOS is exposed to a critical SSL-VPN vulnerability 

It is the 8th critical severity vulnerability since Oct 10, 2022, and the 3rd critical RCE vulnerability in the SSL-VPN feature of Fortinet’s Next Generation FortiGate Firewall solution.  

Here, we refer to two recently discovered critical vulnerabilities tagged as CVE-2024-21762 and CVE-2024-23113. 

Overview of CVE-2024-21762 

This vulnerability has a CVSS score of 9.6, which makes it critical. As per Fortinet, the vulnerability allows attackers to remotely execute any arbitrary code or command on the FortiGate devices via specially crafted HTTP requests. SSL-VPN interfaces are generally exposed on the internet, an easy entry point for hackers. 

Vendor Security Guideline: https://www.fortiguard.com/psirt/FG-IR-24-015  

NVD Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-21762 

FortiOS Upgrade Path Guideline: https://docs.fortinet.com/upgrade-tool?ref=thestack.technology 

Overview of CVE-2024-23113 

FortiOS fgfmd daemon is infected with CVE-2024-23113 (a CVSS score of 9.8 vulnerability), which allows a remote unauthenticated attacker to execute arbitrary code or command. This daemon is used for communication between the FortiGate firewall and the FortiManager solution for central configuration management. 

Vendor Security Guideline: https://www.fortiguard.com/psirt/FG-IR-24-029 

NVD Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-24113 

FortiOS Upgrade Path Guideline: https://docs.fortinet.com/upgrade-tool?ref=thestack.technology 

SharkStriker’s recommendations and implemented measures: 

SharkStriker’s customers are already notified of the remediation steps through a security advisory. The Security Operations SOC) team at SharkStriker is actively monitoring customer environments for any suspicious or malicious activities across their environment.   

The following are some of the general measures that we recommend to all our clients and partners:     

• Apply the necessary patches on FortiOS based on the vendor-released guidelines.  
• Ensure to monitor Firewall activities with the help of SIEM / XDR solutions such as SharkStriker’s STRIEGO platform.  
• Disable the SSL-VPN feature if that is not used in the IT environment.  
• Apply country-based restrictions on the Firewall for various externally exposed services such as SSL-VPN.  
• Implement Mult-Factor Authentication (MFA). 

We have deployed a new set of detection rules in STRIEGO to detect suspicious or malicious activities relating to the mentioned vulnerabilities. Through STRIEGO’s dashboards, our customers can seamlessly check the status of their cybersecurity posture.