Alert - Vulnerabilities impacting Fortinet FortiOS – Update 1 Number: AL24-003 Date: October 11, 2024 Audience This Alert is intended for IT professionals and managers. Purpose An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested. Details On February 8, 2024, the Cyber Centre became aware of vulnerabilities impacting multiple versions of Fortinet FortiOS. In response to this advisory the Cyber Centre released advisory AV24-074 on February 9, 2024 Footnote 1 . Fortinet reports that CVE-2024-21762 is an out-of-bounds write vulnerability in SSL VPN that may allow a remote unauthenticated threat actor to execute arbitrary code and commands via specially crafted HTTP request Footnote 2 . Fortinet has indicated that CVE-2024-21762 may have been exploited in the wild. A second significant vulnerability (CVE-2024-23113) was reported which is a format string bug within the FortiOS FortiGate to FortiManager (fgfmd) protocol. The vulnerability may allow a remote, unauthenticated threat actor to execute arbitrary code or commands via specially crafted requests Footnote 3 . Fortinet has not indicated that this vulnerability has been exploited. On February 9, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) updated their Known Exploited Vulnerabilities (KEV) Catalog in response to the Fortinet FortiOS out-of-bound write vulnerability CVE-2024-21762 Footnote 4 . Update 1 Fortinet updated their advisories Footnote 2 Footnote 3 to include additional affected products and to advise that both vulnerabilities have been exploited. The Cyber Centre has noted the additional affected products under Suggested Actions below. On October 9, 2024, CISA released a statement Footnote 6 indicating that CVE-2024-23113 is being actively exploited in the wild and added it to their Known Exploited Vulnerabilities (KEV) Catalog Footnote 4 . Suggested actions Fortinet recommends as a temporary workaround, to disable the SSL-VPN service until patching can be completed for CVE-2024-21762 Footnote 2 . In regard to CVE-2024-23113, Fortinet also recommends that organizations consider whether there is a need to expose the fgfm daemon (port 541) to the internet for inbound connections, until patching can be completed Footnote 3 . The Cyber Centre strongly recommends that organizations determine if any Fortinet devices need to be patched to remediate these vulnerabilities. Version: FortiOS 7.6 - Affected: Not affected - Solution: Not Applicable FortiOS 7.4 - Affected: 7.4.0 to 7.4.2 - Solution: Upgrade to 7.4.3 or above FortiOS 7.2 - Affected: 7.2.0 to 7.2.6 - Solution: Upgrade to 7.2.7 or above FortiOS 7.0 - Affected: 7.0.0 to 7.0.13 - Solution: Upgrade to 7.0.14 or above FortiOS 6.4 - Affected: 6.4.0 to 6.4.14 - Solution: Upgrade to 6.4.15 or above FortiOS 6.2 - Affected: 6.2.0 to 6.2.15 - Solution: Upgrade to 6.2.16 or above FortiOS 6.0 - Affected: 6.0 all versions - Solution: Migrate to a fixed release FortiPAM 1.3 - Affected: Not affected - Solution: Not Applicable FortiPAM 1.2 - Affected: 1.2 all versions - Solution: Migrate to a fixed release FortiPAM 1.1 - Affected: 1.1 all versions - Solution: Migrate to a fixed release FortiPAM 1.0 - Affected: 1.0 all versions - Solution: Migrate to a fixed release FortiProxy 7.4 - Affected: 7.4.0 through 7.4.2 - Solution: Upgrade to 7.4.3 or above FortiProxy 7.2 - Affected: 7.2.0 through 7.2.8 - Solution: Upgrade to 7.2.9 or above FortiProxy 7.0 - Affected: 7.0.0 through 7.0.15 - Solution: Upgrade to 7.0.16 or above FortiProxy 2.0 - Affected: 2.0.0 through 2.0.13 - Solution: Upgrade to 2.0.14 or above FortiProxy 1.2 - Affected: 1.2 all versions - Solution: Migrate to a fixed release FortiProxy 1.1 - Affected: 1.1 all versions - Solution: Migrate to a fixed release FortiProxy 1.0 - Affected: 1.0 all versions - Solution: Migrate to a fixed release FortiWeb 7.4 - Affected: 7.4.0 through 7.4.2 - Solution: Upgrade to 7.4.3 or above Organizations should also review and implement the Cyber Centre's Top 10 IT Security Actions Footnote 5 with an emphasis on the following topics: consolidating, monitoring, and defending Internet gateways patching operating systems and applications isolate web-facing applications Should activity matching the content of this alert be discovered, recipients are encouraged to report via the My Cyber Portal , or email contact@cyber.gc.ca . Partner Reporting ACSC - Critical Vulnerability in FortiOS NCSC-NZ - Cyber Security Alert: CVEs affecting FortiOS SSL VPN Date modified: 2024-10-11