Introduction
A critical security vulnerability [1] [2] [3] [5] [7] [8], identified as CVE-2024-23113 [8] [10], has been discovered in several Fortinet products. This vulnerability, classified as “use of externally-controlled format string,” poses significant risks due to its potential for remote code execution (RCE). It affects multiple versions of FortiOS, FortiPAM [1] [3] [4] [6] [7] [8] [10], FortiProxy [1] [3] [4] [6] [7] [8] [10], and FortiWeb [1] [4] [6] [7] [8] [10], and has been actively exploited in the wild, particularly targeting internet-facing devices. The US Cybersecurity and Infrastructure Security Agency (CISA) has included this vulnerability in its Known Exploited Vulnerabilities (KEV) catalog [1] [4], underscoring the urgency for remediation.
Description
A critical security vulnerability [1] [2] [3] [5] [7] [8], tracked as CVE-2024-23113 and classified as a “use of externally-controlled format string,” has been identified in multiple Fortinet products, including FortiOS (7.0 and later) [1] [4] [10], FortiPAM (1.0 and higher) [1] [4] [10], FortiProxy (7.0 and above) [1] [4] [7] [10], and FortiWeb (7.4) [1] [4] [7] [10]. This vulnerability, which has a CVSS score of 9.8 and is categorized as “Critical,” was published on February 8, 2024, and exists in the fgfmd daemon, responsible for managing authentication requests and keep-alive messages [7] [10]. It allows remote unauthenticated attackers to send specially crafted requests that can execute arbitrary code or commands [3], leading to remote code execution (RCE) [2]. The exploitation of this flaw poses significant risks, enabling attackers to infiltrate networks [2] [5], access sensitive data [2] [5], and establish a foothold for lateral movement within affected environments [2] [5].
The vulnerability affects specific versions of FortiOS (7.4.0 to 7.4.2, 7.2.0 to 7.2.6, 7.0.0 to 7.0.13) [7], FortiProxy (7.4.0 to 7.4.2, 7.2.0 to 7.2.8, 7.0.0 to 7.0.15) [3] [7], FortiPAM (1.2.0, 1.1.0 to 1.1.2, 1.0.0 to 1.0.3) [7], and FortiWeb (7.4.0 to 7.4.2). Due to evidence of active exploitation in the wild, particularly targeting SSLVPN and firewall appliances that are inherently internet-facing [3], this vulnerability raises significant concerns, especially for federal enterprises and organizations using these products in critical infrastructure. Consequently, it has been added to the US Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog [1] [3] [8]. In accordance with Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate identified vulnerabilities by specified deadlines [9], with a deadline set for October 30, 2024, to protect their networks against such active threats. Despite Fortinet’s disclosure and patching of this vulnerability [1], many systems remain unpatched eight months later [1], highlighting the ongoing risk and the necessity for timely remediation.
Fortinet has recommended that organizations upgrade to the following versions to mitigate the vulnerability: FortiOS (7.4.3 or above, including 7.2.7 and 7.0.14), FortiProxy (7.4.3 or above [1] [4] [7] [10], including 7.2.9 and 7.0.16), FortiPAM (1.2.1 or above [7] [10], including all patched versions of 1.1.x and 1.0.x), and FortiWeb (7.4.3 or above) [7] [10]. In addition to applying patches [10], organizations are advised to implement network segmentation and access controls to limit potential attack vectors [10]. Administrators should also temporarily remove access to the fgfmd daemon from all interfaces as a mitigation measure, which is intended to block potential attacks but should not be considered a complete workaround [4]. To further mitigate risks, organizations should consider implementing a local-in policy that restricts FGFM connections to specific IPs [7], although this does not fully prevent exploitation [7]. CISA encourages all organizations to prioritize the timely remediation of known vulnerabilities to reduce exposure to cyberattacks and will continue to update the KEV catalog with vulnerabilities that meet established criteria [9]. For organizations concerned about the impact of this vulnerability [4], SecuLore offers monitoring options to detect malicious traffic attempting to exploit vulnerabilities [4], utilizing their CyberSight™ technology to passively capture network traffic for threat identification, with analysis conducted by Certified Ethical Hackers in their Security Operations Center [4]. Further details and upgrade tools are available on Fortinet’s website [7].
Conclusion
The CVE-2024-23113 vulnerability presents a critical threat to organizations using affected Fortinet products. Immediate action is required to mitigate the risks associated with this vulnerability, including upgrading to recommended software versions and implementing additional security measures. The ongoing exploitation of this vulnerability highlights the importance of timely patching and proactive cybersecurity practices. Organizations must remain vigilant and prioritize the remediation of known vulnerabilities to safeguard their networks against potential cyberattacks.
References
[1] https://fieldeffect.com/blog/8-month-old-fortinet-rce-vulnerability-actively-exploited
[2] https://securityonline.info/cisa-adds-three-actively-exploited-security-vulnerabilities-to-kev-catalog-urges-urgent-patching/
[3] https://digital.nhs.uk/cyber-alerts/2024/cc-4560
[4] https://seculore.com/resources/cyber-alert-critical-fortinet-rce-vulnerability/
[5] https://www.loginsoft.com/weekly-reports/a-week-of-emerging-zero-day-vulnerabilities-and-threats
[6] https://www.itmedia.co.jp/enterprise/articles/2410/11/news085.html
[7] https://insights.integrity360.com/triple-threat-advisory-fortinet-palo-alto-and-cisco-issue-threat-warnings
[8] https://thehackernews.com/2024/10/cisa-warns-of-critical-fortinet-flaw-as.html
[9] https://www.cisa.gov/news-events/alerts/2024/10/09/cisa-adds-three-known-exploited-vulnerabilities-catalog
[10] https://www.digitalvocano.com/cybersecurity/cisa-warns-of-fortinet-rce-vulnerability-actively-exploited