Fortinet has released fixes for a critical remote code execution vulnerability in many versions of its FortiOS software that may be under active attack at the moment.
The vulnerability (CVE-2024-21762) is an out-of-bounds write in the sslvpnd component of the software, and it affects FortiOS 6.0, 6.2, 6.4, 7.0, 7.2, and 7.4. Fortinet released an advisory warning of the vulnerability on Thursday and urged customers to upgrade to the latest versions as soon as possible.
“A out-of-bounds write vulnerability in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests,” the advisory says.
Fortinet did not provide any details on the ongoing exploitation or specify which actors may be exploiting the vulnerability.
In addition to the actively exploited bug, Fortinet also released patches for three other flaws, including a second critical vulnerability. That bug (CVE-2024-23113) is in the fgfmd daemon, which is the FortiGate FortiManager. That service is enabled by default.
“A use of externally-controlled format string vulnerability in FortiOS fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests,” the advisory says.
That flaw affects versions 7.0, 7.2, and 7.4 of FortiOS. A workaround for this vulnerability is to disable the fgfm access on each interface.
“Note that this will prevent FortiGate discovery from FortiManager. Connections from the FortiGate will still work. Please also note that a local-in policy that only allows FGFM connections from a specific IP will reduce the attack surface but it won't prevent the vulnerability from being exploited from this IP. As a consequence, this should be used as a mitigation and not as a complete workaround,” the advisory says.