Full Report
Fortinet offers guidance to detect and mitigate CVE-2024-21762 and CVE-2024-23113, critical RCE vulnerabilities in FortiOS and FortiProxy, including guidance that organizations should patch urgently.
Analysis Summary
# Vulnerability: Critical RCE in FortiOS/FortiProxy via SSL-VPN and Format String Flaw
## CVE Details
- CVE ID: CVE-2024-21762, CVE-2024-23113
- CVSS Score: 9.6 (High) for CVE-2024-21762, 9.8 (Critical) for CVE-2024-23113
- CWE: Buffer Copy beyond limits (CVE-2024-21762), Format String Vulnerability (CVE-2024-23113)
## Affected Systems
- Products: FortiOS, FortiProxy, FortiPAM
- Versions:
* **CVE-2024-21762 (SSL-VPN Buffer Overflow):**
* FortiOS: 7.4.0-7.4.2, 7.2.0-7.2.6, 7.0.0-7.0.13, 6.4.0-6.4.14, 6.2.0-6.2.15, 6.0 (all)
* FortiProxy: 7.4.0-7.4.2, 7.2.0-7.2.8, 7.0.0-7.0.14, 2.0.0-2.0.13, 1.2 (all), 1.1 (all), 1.0 (all)
* **CVE-2024-23113 (fgfmd Format String):**
* FortiOS: 7.4.0-7.4.2, 7.2.0-7.2.6, 7.0.0-7.0.13
* FortiProxy: 7.4.0-7.4.2, 7.2.0-7.2.8, 7.0.0-7.0.14
* FortiPAM: 1.2.0, 1.1.0-1.1.2, 1.0 (all)
- Configurations: Affects products with the vulnerable features enabled (e.g., SSL-VPN enabled for CVE-2024-21762). CVE-2024-23113 only affects more recent product versions (dating back to March 2022).
## Vulnerability Description
**CVE-2024-21762:** An improper parameter validation flaw exists within the FortiOS SSL-VPN component. This vulnerability allows a remote, unauthenticated attacker to copy bytes beyond buffer limits via specially crafted HTTP requests. This leads to memory corruption, potentially redirecting process flow and enabling Arbitrary Code Execution (ACE).
**CVE-2024-23113:** A format string vulnerability exists in the FortiOS `fgfmd` daemon. This allows a remote, unauthenticated attacker to achieve Arbitrary Code Execution (ACE) or arbitrary command execution by sending specifically tailored requests.
## Exploitation
- Status: CVE-2024-21762 is reportedly being exploited in the wild and has been added to the CISA KEV catalog. CVE-2024-23113 status is not explicitly stated but given the high CVSS, exploitation is highly likely/anticipated.
- Complexity: Low (Remote, Unauthenticated access required)
- Attack Vector: Network
## Impact
- Confidentiality: High (Potential for ACE)
- Integrity: High (Potential for ACE)
- Availability: High (Potential for ACE leading to system compromise)
## Remediation
### Patches
Upgrade to the following fixed versions or higher:
* **CVE-2024-21762 Fixes:**
* FortiOS: 7.4.3, 7.2.7, 7.0.14, 6.4.15, 6.2.16. (Migrate older 6.0 releases)
* FortiProxy: 7.4.3, 7.2.9, 7.0.15, 2.0.14. (Migrate older 1.x releases)
* **CVE-2024-23113 Fixes:**
* FortiOS: 7.4.3, 7.2.7, 7.0.14.
* FortiProxy: 7.4.3, 7.2.9, 7.0.16.
* FortiPAM: 1.2.1, 1.1.3. (Migrate older 1.0 releases)
### Workarounds
* **For CVE-2024-21762:** Disable SSL VPN functionality if patching is not immediately possible.
* **For CVE-2024-23113:** Remove FGFM (FortiGate discovery/management) access for each interface. This prevents FortiManager discovery from the FortiGate, though outbound connections from the FortiGate to FortiManager will still function.
## Detection
- Indicators of Compromise: Not explicitly listed, but focus on unusual network traffic patterns targeting SSL-VPN endpoints or unexpected process execution originating from the `fgfmd` daemon.
- Detection methods and tools: Wiz customers can use pre-built queries in the Wiz Threat Center to identify vulnerable instances.
## References
- Vendor advisories:
- CVE-2024-21762: [Vendor advisory link for CVE-2024-21762](https://www.fortiguard.com/psirt/FG-IR-24-015)
- CVE-2024-23113: [Vendor advisory link for CVE-2024-23113](https://www.fortiguard.com/psirt/FG-IR-24-029)
- Relevant links:
- CISA KEV catalog addition: [CISA advisory link for CVE-2024-21762](https://www.cisa.gov/news-events/alerts/2024/02/09/cisa-adds-one-known-exploited-vulnerability-catalog)