Fortinet FortiGate CVE-2024–23113

SOCFortress
2 min readOct 16, 2024

--

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

Intro

Use of externally-controlled format string in:

Fortinet FortiOS versions:

  • 7.4.0 through 7.4.2,
  • 7.2.0 through 7.2.6,
  • 7.0.0 through 7.0.13,

FortiProxy versions:

  • 7.4.0 through 7.4.2,
  • 7.2.0 through 7.2.8,
  • 7.0.0 through 7.0.14,

FortiPAM versions:

  • 1.2.0, 1.1.0 through 1.1.2,
  • 1.0.0 through 1.0.3,

FortiSwitchManager versions:

  • 7.2.0 through 7.2.3,
  • 7.0.0 through 7.0.3

allows attacker to execute unauthorised code or commands via specially crafted packets.

The use of externally-controlled format string vulnerability [CWE-134] in FortiOS fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.

In early February, Fortinet published two reports warning users of CVE-2024–23113 and CVE-2024–21762. Within a day of their release, CISA added CVE-2024–21762 to its Known Exploited Vulnerability Catalogue.

Now, CISA requires Federal agencies to patch Fortinet flaw by October 30th.

FortiOS Upgrade.

Workarounds

For each interface, remove the fgfm access, for example change:

config system interface
edit "portX"
set allowaccess ping https ssh fgfm
next
end

to:

config system interface
edit "portX"
set allowaccess ping https ssh
next
end

Note that this will prevent FortiGate discovery from FortiManager. Connection will still be possible from FortiGate.
Please also note that a local-in policy that only allows FGFM connections from a specific IP will reduce the attack surface but it won’t prevent the vulnerability from being exploited from this IP. As a consequence, this should be used as a mitigation and not as a complete workaround.

Detections (exploitation attempts).

Snort/Suricata:

alert http any any -> any any (msg:"Fortinet FortiOS Fortiproxy RCE CVE-2024-21762 Attempt"; flow:to_server,established; \
http.uri.raw; content: "/remote/"; fast_pattern; \
http.header_names; content: "transfer-encoding"; nocase; \
http.header.raw; content: "chunked"; nocase; isdataat:200;\
http.request_body; content: "0|0D 0A|"; \
http.request_body; content: "|3A|"; \
classtype:malicious; sid:123; rev:1;)

Security events from FortiGate and stored in OpenSearch (lucene query):

url:/\/remote\//

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

--

--

SOCFortress
SOCFortress

Written by SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

No responses yet