High Severity Flaw: Vulnerability Rated 9.6 CVSS Score, Enables Remote Execution of Arbitrary Commands via Crafted HTTP Requests
Fortinet urges prompt patching of an N-day vulnerability, possibly exploited in the wild for remote code execution (RCE) attacks. Tracked as CVE-2024-21762, this critical flaw poses a significant risk with a CVSS score of 9.6, enabling remote, unauthenticated actors to execute arbitrary commands via crafted HTTP requests. Although specifics of exploitation remain u**********, a recent Fortinet report underscores the urgency in addressing known vulnerabilities, some exploited in a China-backed espionage campaign.
Read more: GTT Expands Secure Connect Portfolio with Fortinet’s SASE Offering
“The best defense against any N-Day vulnerability is following good cyber hygiene, including remediation guidance and timely patching. The complexity of the exploit suggests an advanced actor, and the fact the attacks are highly targeted at governmental or strategic targets such as critical national infrastructure, manufacturing, and service providers in government-adjacent industries suggests nation-state capability.”
Patching or Workaround Urged Without Delay
Immediate patching or implementation of a workaround is strongly recommended by Fortinet due to the potential exploitation of the “out-of-bounds write” vulnerability in the Secure Socket Layer Virtual Private Network (SSL VPN) service within the Fortinet operating system FortiOS. SSL VPNs serve as trusted secure connections to private organizational networks. Attackers exploit vulnerabilities such as CVE-2024-21762 to infiltrate and compromise systems and networks through these secured channels.
The vulnerability affects FortiOS versions 7.4 (prior to 7.4.2), 7.2 (prior to 7.2.6), 7.0 (prior to 7.0.13), 6.4 (prior to 6.4.14), 6.2 (prior to 6.2.15), and all versions of 6.0. While patches have been released with successive versions of Fortinet, users must note that versions 6.2, 6.4, 7.0, 7.2, and 7.4 have reached the end of support. It’s important to highlight that version 7.6 remains unaffected by this vulnerability.
For users unable to upgrade to patched versions, Fortinet suggests disabling SSL VPN as a temporary workaround. Additionally, Fortinet warns of another critical vulnerability (CVSS 9.8), tracked under CVE-2024-23113, which allows remote code execution (RCE) through the exploitation of an “externally-controlled format string vulnerability” in the FortiOS fgfmd daemon, another authentication module for secure connections.
Read more: Clearwater, 1stResponder Partner to Boost Cyber Incident Response
Fortinet Raises Alarm on Nation-State Exploitation
Fortinet issues a stark warning regarding the exploitation tactics employed by nation-state threat actors, particularly Volt Typhoon, backed by China. Highlighting the tactics, techniques, and procedures (TTPs) utilized, Fortinet identifies the exploitation of known vulnerabilities, including CVE-2022-42475 and CVE-2023-27997, to infiltrate critical infrastructure organizations. The investigation revealed the use of living-off-the-land (LOTL) binaries consistent with Volt Typhoon’s modus operandi.
This attribution was corroborated by an advisory from the Cybersecurity and Infrastructure Security Agency (CISA), issued concurrently with Fortinet’s report. Notably, the utilization of Fortinet vulnerabilities by Volt Typhoon underscores a broader pattern of cyber intrusions by the People’s Republic of China (PRC) into critical U.S. systems, as highlighted by Cynthia Kaiser, Deputy Assistant Director for the FBI’s Cybersecurity Division, in statements reported by The Register.
In response to these threats, the FBI has reportedly petitioned for the renewal of Section 702 of the Foreign Intelligence Surveillance Act (FISA), enabling federal authorities to conduct surveillance on foreign electronic communications overseas.
FAQs
1. What are N-Day vulnerabilities, as mentioned in the Fortinet report?
N-Day vulnerabilities are known vulnerabilities for which a patch or fix is available but have not yet been resolved by organizations through patching.
2. Which specific Fortinet vulnerabilities are being targeted by threat actors, according to the report?
Threat actors are targeting vulnerabilities disclosed in December 2022 (CVE-2022-42475) and June 2023 (CVE-2023-27997) concerning Fortinet’s FortiOS and FortiProxy systems.
3. What industries are primarily targeted by the malicious activity discussed in the Fortinet report?
Malicious activity primarily targets industries such as manufacturing, consulting, and local government.
4. What actions are recommended for organizations to mitigate the risks associated with these vulnerabilities?
Organizations are advised to monitor Fortinet Security Advisories and promptly patch affected systems, perform clean installations of the latest patch versions if compromise is suspected, follow hardening recommendations, minimize attack surfaces, and maintain good cyber hygiene.
5. What additional measures has Fortinet implemented to prevent the exploitation of unpatched systems?
Fortinet has implemented hardware-based firmware and filesystem integrity checking, including virtual patching of the local management interface and real-time file system integrity checking, to prevent the exploitation of unpatched systems in the wild.
[To share your insights with us as part of editorial or sponsored content, please write to sghosh@martechseries.com]
