Share this article on:
The Australian Signals Directorate’s Australian Cyber Security Centre is concerned about a FortiGuard vulnerability that could lead to remote code execution.
The Australian Cyber Security Centre (ACSC) released a critical alert late last week, pointing out the very real risk of remote code being executed on affected Fortinet FortiOS devices.
FortiOS is a network operating system used on FortiGuard’s hardware and software security products, such as switches and firewalls.
The bug in question – CVE-2024-21762 – is an “out-of-bounds write vulnerability that may allow unauthenticated RCE via a specially crafted HTTP request”, according to the ACSC’s alert notice. The ACSC is rating the complexity of the vulnerability as moderate.
“The ASD’s ACSC recommends business, organisations and government entities patch affected devices and disable SSL VPN,” the ACSC said in its alert.
The flaw is in the following versions of Fortiguard products:
FortiGuard advises either upgrading the older versions or migrating to a fixed release in the case of later ones. A possible workaround, however, is to disable SSL VPN. FortiGuard notes that disabling webmode is not a solution.
It’s worth following FortiGuard’s upgrade advice, as the company believes the vulnerability may already be being exploited in the wild.
Researchers at cyber security firm Rapid7 are more certain of the exploitation, however.
"According to Fortinet’s advisory for CVE-2024-21762, the vulnerability is 'potentially being exploited in the wild.' The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-21762 to their Known Exploited Vulnerabilities (KEV) list as of February 9, 2024, confirming that exploitation has occurred," Rapid7 said in a blog post.
Rapid7 also notes that such vulnerabilities are very popular with a certain class of hacker.
"Zero-day vulnerabilities in Fortinet SSL VPNs have a history of being targeted by state-sponsored and other highly motivated threat actors. Other recent Fortinet SSL VPN vulnerabilities (e.g., CVE-2022-42475, CVE-2022-41328, and CVE-2023-27997) have been exploited by adversaries as both zero-day and as n-day following public disclosure."
UPDATED 13/02/24 to add Rapid7 commentary
Comments powered by CComment