CVE-2024-21762 and CVE-2024-23113 are critical vulnerabilities in Fortinet's FortiOS and FortiProxy; they received a CVSS score of 9.6 and 9.8, respectively. Both vulnerabilities could allow a remote unauthenticated attacker to execute arbitrary code or commands, and CVE-2024-21762 is reportedly being exploited in the wild. Fortinet guidance recommends to upgrade FortiOS instances to patched versions as soon as possible. Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment.
What are CVE-2024-21762 and CVE-2024-23113?
The vulnerability identified as CVE-2024-21762, rated with a CVSS score of 9.6, stems from improper parameter validation within FortiOS SSL-VPN. It can be exploited by a remote, unauthenticated attacker through specially crafted HTTP requests, leading to a scenario where bytes are copied beyond the buffer's limits. This results in memory corruption and the redirection of process flow, potentially allowing the execution of arbitrary code or commands.
Similarly, CVE-2024-23113, carrying a CVSS score of 9.8, is attributed to a format string vulnerability found in the FortiOS fgfmd daemon. This flaw could enable a remote attacker, without any authentication, to execute arbitrary code or commands by sending specifically tailored requests. Note that this vulnerability only affects more recent product versions (dating back to March 2022).
Exploitation in the wild
Fortinet’s advisory states that CVE-2024-21762 is “potentially being exploited in the wild,” and that statement was followed by CISA adding CVE-2024-21762 to its Known Exploited Vulnerabilities catalog (KEV) and wrote “These types of vulnerabilities are frequent attack vectors for malicious cyber actors.
Wiz Research data: what’s the risk to cloud environments?
Based on Wiz data, 8% of cloud environments have resources vulnerable to CVE-2024-21762 or CVE-2024-23113, while 5% have publicly exposed instances.
Which products are affected?
CVE-2024-23113
| Product | Affected version | Remediation |
|---|---|---|
| FortiOS 7.4 | 7.4.0 through 7.4.2 | Upgrade to 7.4.3 or above |
| FortiOS 7.2 | 7.2.0 through 7.2.6 | Upgrade to 7.2.7 or above |
| FortiOS 7.0 | 7.0.0 through 7.0.13 | Upgrade to 7.0.14 or above |
| FortiPAM 1.2 | 1.2.0 | Upgrade to 1.2.1 or above |
| FortiPAM 1.1 | 1.1.0 through 1.1.2 | Upgrade to 1.1.3 or above |
| FortiPAM 1.0 | 1.0 all versions | Migrate to a fixed release |
| FortiProxy 7.4 | 7.4.0 through 7.4.2 | Upgrade to 7.4.3 or above |
| FortiProxy 7.2 | 7.2.0 through 7.2.8 | Upgrade to 7.2.9 or above |
| FortiProxy 7.0 | 7.0.0 through 7.0.14 | Upgrade to 7.0.16 or above |
CVE-2024-21762
| Product | Affected version | Remediation |
|---|---|---|
| FortiOS 7.4 | 7.4.0 through 7.4.2 | Upgrade to 7.4.3 or above |
| FortiOS 7.2 | 7.2.0 through 7.2.6 | Upgrade to 7.2.7 or above |
| FortiOS 7.0 | 7.0.0 through 7.0.13 | Upgrade to 7.0.14 or above |
| FortiOS 6.4 | 6.4.0 through 6.4.14 | Upgrade to 6.4.15 or above |
| FortiOS 6.2 | 6.2.0 through 6.2.15 | Upgrade to 6.2.16 or above |
| FortiOS 6.0 | 6.0 all versions | Migrate to a fixed release |
| FortiProxy 7.4 | 7.4.0 through 7.4.2 | Upgrade to 7.4.3 or above |
| FortiProxy 7.2 | 7.2.0 through 7.2.8 | Upgrade to 7.2.9 or above |
| FortiProxy 7.0 | 7.0.0 through 7.0.14 | Upgrade to 7.0.15 or above |
| FortiProxy 2.0 | 2.0.0 through 2.0.13 | Upgrade to 2.0.14 or above |
| FortiProxy 1.2 | 1.2 all versions | Migrate to a fixed release |
| FortiProxy 1.1 | 1.1 all versions | Migrate to a fixed release |
| FortiProxy 1.0 | 1.0 all versions | Migrate to a fixed release |
Workarounds and mitigations
CVE-2024-21762
If you are unable to patch affected instances, it is possible to mitigate CVE-2024-21762 by disabling SSL VPN as a workaround.
CVE-2024-23113
If you are unable to patch affected instances, it is possible to mitigate CVE-2024-23113 by removing FGFM access for each interface, as described in Fortinet's advisory (this will prevent FortiGate discovery from FortiManager, but connections from the FortiGate will still work).
Query available in the Wiz Threat Center
Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment.
