Question:

What are the implications of the newly disclosed CVE-2024-21762 vulnerability that affects multiple versions of FortiOS and allows remote code execution via SSLVPN? How can users mitigate this risk by applying the latest patches from Fortinet?

Answer:

How to protect your Fortinet devices from a critical SSL VPN vulnerability

Fortinet, a leading provider of network security products, has recently disclosed a critical vulnerability in its FortiOS and FortiProxy software that could allow remote attackers to execute arbitrary code or commands on vulnerable devices. The vulnerability, tracked as CVE-2024-21762 , is an out-of-bound write flaw in the sslvpnd daemon, which handles the SSL VPN functionality of FortiOS and FortiProxy. According to Fortinet, this vulnerability is “potentially being exploited in the wild” and affects multiple versions of FortiOS and FortiProxy.

CVE-2024-21762 poses a serious threat to the security and availability of Fortinet devices that have SSL VPN enabled, as it could allow unauthenticated attackers to gain full control over them by sending specially crafted HTTP requests. This could result in data theft, network compromise, ransomware infection, denial-of-service, or other malicious activities. Moreover, CVE-2024-21762 has a high severity rating of 9.6 out of 10 on the CVSS scale, indicating that it is easy to exploit and has a high impact.

CVE-2024-21762 is especially concerning because Fortinet devices are widely used by organizations across various sectors, including government, healthcare, education, and finance. In fact, Fortinet devices have been previously targeted by state-sponsored threat actors, such as the Chinese APT group APT5, who exploited known vulnerabilities in FortiOS to gain access to U.S. critical infrastructure. Therefore, CVE-2024-21762 could be leveraged by sophisticated adversaries to launch cyberattacks against high-value targets.

How can users mitigate this risk?

The best way to protect your Fortinet devices from CVE-2024-21762 is to apply the latest patches from Fortinet as soon as possible. Fortinet has released security updates for FortiOS and FortiProxy that address this vulnerability, as well as three other flaws that affect the same products. The affected versions of FortiOS and FortiProxy are:

• FortiOS 7.4.0 through 7.4.2
• FortiOS 7.2.0 through 7.2.6
• FortiOS 7.0.0 through 7.0.13
• FortiOS 6.4.0 through 6.4.14
• FortiOS 6.2.0 through 6.2.15
• FortiOS 6.0.0 through 6.0.17
• FortiProxy 7.4.0 through 7.4.2
• FortiProxy 7.2.0 through 7.2.8
• FortiProxy 7.0.0 through 7.0.14
• FortiProxy 2.0.0 through 2.0.13
• FortiProxy 1.2.0 through 1.2.13
• FortiProxy 1.1.0 through 1.1.6
• FortiProxy 1.0.0 through 1.0.7

Users can download the patches from the Fortinet support site or use the FortiGuard update service to automatically update their devices. Users should also verify that their devices are not already compromised by checking the logs for any suspicious activity or indicators of compromise (IOCs) related to CVE-2024-21762. Some of the IOCs that have been reported by security researchers are:

• HTTP requests with the User-Agent header set to “Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko”
• HTTP requests with the Content-Type header set to “application/x-www-form-urlencoded”
• HTTP requests with the Content-Length header set to “0”
• HTTP requests with the URI path set to “/remote/logincheck”
• HTTP requests with the POST data containing the parameter “ajax=1”

If users detect any signs of compromise, they should isolate the affected devices, perform a forensic analysis, and restore them from a clean backup.

Conclusion

CVE

-2024-21762 is a critical vulnerability in Fortinet FortiOS and FortiProxy that could allow remote code execution via SSL VPN. Users should apply the latest patches from Fortinet as soon as possible to prevent potential exploitation by attackers. Users should also monitor their devices for any signs of compromise and take appropriate actions if needed. By following these steps, users can ensure the security and availability of their Fortinet devices and networks.