- 48/2024
- Critical
Fortinet has released security updates to fix several vulnerabilities across multiple Fortinet products.
The addressed vulnerabilities could allow the remote attacker to perform denial of service attacks, conduct cross-site scripting attacks, gain elevated privileges, obtain sensitive information, execute arbitrary code, and gain access to the affected products by sending specially crafted HTTP requests.
Sample of the addressed vulnerabilities:
1. FortiOS – Format String Bug in fgfmd Code Execution (CVE-2024-23113):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
2. FortiOS – Out-of-bound Write in sslvpnd Code Execution (CVE-2024-21762):
- CVSS: 9.6
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
3. FortiClientEMS – Improper Privilege Management for Site Super Administrator (CVE-2023-45581):
- CVSS: 7.9
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Gain Privileges
Sample of the affected products:
- FortiClientEMS.
- FortiNAC.
- FortiAnalyzer.
- FortiManager.
- FortiOS.
- FortiProxy.
It should be highlighted that Fortinet is warning that the critical vulnerability (CVE- 2024-21762) in FortiOS SSL VPN is potentially being exploited in the wild.
Additionally, Fortinet has added a workaround for this vulnerability to disable SSL VPN (disabling webmode is NOT a valid workaround).
Vulnerabilities
- CVE-2024-21762
- CVE-2023-47537
- CVE-2024-23113
- CVE-2023-44487
- CVE-2023-26206
- CVE-2023-44253
- CVE-2023-45581
Mitigations
The enterprise should deploy this patch/workarounds as soon as the testing phase is completed.