FortiOS [CVE-2024-21762] [FG-IR-24-015]
Date of Notice: 02/09/2024
Action Level - Critical
Description
MCNC wants to alert you regarding a new critical remote code execution vulnerability in FortiOS SSL VPN. This vulnerability is being tracked as CVE-2024-21762/FG-IR-24-015, and it affects FortiOS, which may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests.
This flaw was disclosed along with CVE-2024-23113 (Critical/9.8 rating), CVE-2023-44487 (Medium), and CVE-2023-47537 (Medium).
Affected Versions
Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to execute unauthorized code or commands via specifically crafted requests
Fixed Versions
Version Affected Solution
FortiOS 7.6 Not affected Not Applicable
FortiOS 7.4 7.4.0 through 7.4.2 Upgrade to 7.4.3 or above
FortiOS 7.2 7.2.0 through 7.2.6 Upgrade to 7.2.7 or above
FortiOS 7.0 7.0.0 through 7.0.13 Upgrade to 7.0.14 or above
FortiOS 6.4 6.4.0 through 6.4.14 Upgrade to 6.4.15 or above
FortiOS 6.2 6.2.0 through 6.2.15 Upgrade to 6.2.16 or above
FortiOS 6.0 6.0 all versions Migrate to a fixed release
Attack Vector
FortiOS SSL VPN
Attack Feasibility
Fortiguard made a note that this is potentially being exploited in the wild.
Mitigation/Remediation
Update to the recommended solution based on your affected version. If you can not update, then the workaround is to disable SSL VPN (disabling webmode is NOT a valid workaround)
Vendor Resources
https://www.fortiguard.com/psirt/FG-IR-24-015