Lucene search

Rapid7RAPID7BLOG:0E907B2DDA83198AFC222340903BE902

HistoryFeb 12, 2024 - 1:23 p.m.

Critical Fortinet FortiOS CVE-2024-21762 Exploited

2024-02-1213:23:51

Rapid7

blog.rapid7.com

fortinet

fortios

ssl vpn

vulnerability

exploited

remote code execution

impacted versions

mitigation guidance

advisory

cve

rapid7

insightvm

nexpose

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.41 Medium

EPSS

Percentile

97.2%

JSON

On February 8, 2024 Fortinet disclosed multiple critical vulnerabilities affecting FortiOS, the operating system that runs on Fortigate SSL VPNs. The critical vulnerabilities include CVE-2024-21762, an out-of-bounds write vulnerability in SSLVPNd that could allow remote unauthenticated attackers to execute arbitrary code or commands on Fortinet SSL VPNs via specially crafted HTTP requests.

According to Fortinet’s advisory for CVE-2024-21762, the vulnerability is “potentially being exploited in the wild.” The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-21762 to their Known Exploited Vulnerabilities (KEV) list as of February 9, 2024, confirming that exploitation has occurred.

Zero-day vulnerabilities in Fortinet SSL VPNs have a history of being targeted by state-sponsored and other highly motivated threat actors. Other recent Fortinet SSL VPN vulnerabilities (e.g., CVE-2022-42475, CVE-2022-41328, and CVE-2023-27997) have been exploited by adversaries as both zero-day and as n-day following public disclosure.

Affected products

FortiOS versions vulnerable to CVE-2024-21762 include:

FortiOS 7.4.0 through 7.4.2
FortiOS 7.2.0 through 7.2.6
FortiOS 7.0.0 through 7.0.13
FortiOS 6.4.0 through 6.4.14
FortiOS 6.2.0 through 6.2.15
FortiOS 6.0 all versions
FortiProxy 7.4.0 through 7.4.2
FortiProxy 7.2.0 through 7.2.8
FortiProxy 7.0.0 through 7.0.14
FortiProxy 2.0.0 through 2.0.13
FortiProxy 1.2 all versions
FortiProxy 1.1 all versions
FortiProxy 1.0 all versions

Note: Fortinet’s advisory did not originally list FortiProxy as being vulnerable to this issue, but the bulletin was updated after publication to add affected FortiProxy versions.

Mitigation guidance

According to the Fortinet advisory, the following fixed versions remediate CVE-2024-21762:

FortiOS 7.4.3 or above
FortiOS 7.2.7 or above
FortiOS 7.0.14 or above
FortiOS 6.4.15 or above
FortiOS 6.2.16 or above
FortiOS 6.0 customers should migrate to a fixed release
FortiProxy 7.4.3 or above
FortiProxy 7.2.9 or above
FortiProxy 7.0.15 or above
FortiProxy 2.0.14 or above
FortiProxy 1.2, 1.1, and 1.0 customers should migrate to a fixed release

As a workaround, the advisory instructs customers to disable the SSL VPN with the added context that disabling the webmode is not a valid workaround. For more information and the latest updates, please refer to Fortinet’s advisory.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to FortiOS CVE-2024-21762 with a vulnerability check available in the Friday, February 9 content release.