Fortinet has addressed an out-of-bounds write vulnerability impacting FortiOS. Tracked as CVE-2024-21762, the vulnerability has a critical severity rating with a CVSS score 9.6. Successful exploitation of the vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests.
Fortinet quoted in the advisory that vulnerability is potentially exploited in the wild.
CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog and requested users to patch it before 16 Feb 2024.
FortiOS is considered the brain of Fortinet Security Fabric. The Security Fabric’s operating system, or software, connects all its parts and ensures tight integration throughout the deployment of the Security Fabric across an enterprise.
Affected Products and Versions
- FortiOS 7.4 (versions 7.4.0 through 7.4.2)
- FortiOS 7.2 (versions 7.2.0 through 7.2.6)
- FortiOS 7.0 (versions 7.0.0 through 7.0.13)
- FortiOS 6.4 (versions 6.4.0 through 6.4.14)
- FortiOS 6.2 (versions 6.2.0 through 6.2.15)
- FortiOS 6.0, all versions
Mitigation
Customers are advised to upgrade to the following versions to patch the vulnerability:
- Upgrade to 7.4.3 or above
- Upgrade to 7.2.7 or above
- Upgrade to 7.0.14 or above
- Upgrade to 6.4.15 or above
- Upgrade to 6.2.16 or above
FortiOS has recommended disabling SSL VPN as a workaround.
Please refer to the Fortinet PSIRT Advisory (FG-IR-24-015) for more information.
EVALUATE Vendor-Suggested Mitigation/Workaround with Policy Compliance (PC)
With Qualys Policy Compliance’s Out-of-the-Box Mitigation or Compensatory Controls, the risk of a vulnerability being exploited is reduced when the remediation (fix/patch) cannot be implemented immediately.
Qualys Policy Compliance team releases these exclusive controls based on Vendor-suggested Mitigation/Workaround.
Mitigation refers to a setting, common configuration, or general best-practice existing in a default state that could reduce the severity of exploitation of a vulnerability.
A workaround is a method, sometimes used temporarily, for achieving a task or goal when the usual or planned method isn’t working. Information technology often uses a workaround to overcome hardware, programming, or communication problems. Once a problem is fixed, a workaround is usually abandoned.
The following Qualys Policy Compliance Control IDs (CIDs) and System Defined Controls (SDC) have been published to support evaluation of the recommended workaround:
- 26250 Status of the ‘SSL VPN’ setting configured on the host
Qualys Detection
Qualys customers can scan their devices with QID 44170 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.