Following a trend we have been seeing, attackers are targeting VPN vulnerabilities to access corporate networks. This time it’s Fortinet’s FortiOS that is being actively exploited. CVE-2024-21762 (CVSS 9.6) is an out-of-bounds write vulnerability that an unauthenticated attacker could use to execute malicious code.
There is a patch available so you should apply that as quickly as possibly and it is recommended to disable SSL VPN, which kind of defeats the purpose of having a VPN, to prevent exploitation. Not a fun position to be in for companies using this. Unfortunately there isn’t a lot more information out about this one yet.
This comes on the heels of a very confusing period for Fortinet where they announced two, YES TWO!, critical vulnerabilities to the FortiSiem solution in one day. CVE-2024-23108 and CVE-2024-23109 were both rated 10 by Fortinet but “only” a 9.8 by the NVD. Fortinet then announced that they weren’t new and were a duplicate of a critical vulnerability from October 2023, only to backtrack a few hours later and say they were new vulnerabilities after all. Clear as mud, just what users like. Like the FortiOS vulnerability these allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests.
And if that wasn’t enough it was announced last week that Chinese attackers had exploited a vulnerability in the FortiOS SSL-VPN, CVE-2022-42475, CVSS: 9.3, used by the Dutch Military last year and were able to successfully deploy a backdoor into the network.
The best advice, as always, is to threat hunt looking for unusual files and/or activity if you have a device impacted by any of the vulnerabilities in this article.
If you think you may be affected and would like help investigating the issue, please reach out to csirt@frsecure.com
Links
https://www.cisa.gov/news-events/alerts/2024/02/09/fortinet-releases-security-advisories-fortios
https://fortiguard.fortinet.com/psirt/FG-IR-24-015