About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
Executive Summary
On February 8, 2024, Fortinet released a security advisory to their customers alerting them of a new vulnerability in FortiOS for the local sslvpnd service. Customers who utilize FortiOS devices with SSL VPN services may be affected. CVE-2024-21762 is a critical vulnerability that may allow adversaries to perform remote code execution (RCE) on FortiOS devices by submitting specially crafted HTTP requests to the device. Fortinet states that this vulnerability “…is potentially being exploited in the wild”. Due to an abundance of caution, RedLegg is publishing an advisory to their customers notifying them to either mitigate this vulnerability by disabled SSL VPN services on affected FortiOS devices, or patch to the latest available FortiOS update.
VULNERABILITIES
Fortinet FortiOS Out-of-Bounds Remote Code Execution Vulnerability
Identifier: CVE-2024-21762 – CVSS Score 9.6 (CRITICAL)
Exploit or POC: Yes (Actively Being Exploited)
Update: FortiGuard Labs PSIRT FG-IR-24-015
Description: CVE-2024-21762 allows for remote code execution. Authentication is not required to successfully exploit this vulnerability. CVE-2024-21762 is an out-of-bounds write vulnerability in the sslvpnd service that could allow an adversary to execute remote code by sending specially crafted HTTP requests.
Mitigation recommendation: Disable SSL VPN, this will disable VPN services for FortiOS devices. Fortinet notes that disabling webmode is NOT a valid workaround.
To continue use of VPN services, patching is currently the only method of mitigation. Update to the latest software versions disclosed in the FortiGuard Labs PSIRT FG-IR-24-015.
RedLegg Action: None at this time.