Critical Fortinet Vulnerability Exploiting in Wild

Summary

OEM

Fortinet

Severity

Critical

Date of Announcement

2024-10-16

CVSS Score

9.8

CVE

CVE-2024-23113

CWE

CWE-134

Exploited in Wild

Yes

Patch/Remediation Available

Yes

Advisory Version

1.0

Overview

A Critical vulnerability (CVE-2024-23113) has been identified in the FortiOS fgfmd daemon, which enables unauthenticated attackers to remotely execute arbitrary code or commands. This flaw arises from a format string vulnerability (CWE-134) within the fgfmd daemon, where specially crafted requests can initiate arbitrary code execution, potentially resulting in full system compromise. Affected versions include multiple releases of FortiOS, FortiPAM, FortiProxy, and FortiWeb.

Vulnerability Name

CVE ID

Product Affected

Impact

CVSS Score

Fortinet Products Format Sting Vulnerability

CVE-2024-23113

FortiOS, FortiProxy, FortiPAM, FortiWeb

Critical

9.8

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-23113

FortiOS (7.4.0-7.4.2, 7.2.0-7.2.6, 7.0.0-7.0.13), FortiProxy (7.4.0-7.4.2, 7.2.0-7.2.8, 7.0.0-7.0.15), FortiPAM (1.2 and lower), FortiWeb (7.4.0-7.4.2)

The vulnerability lies in the fgfmd daemon’s handling of format strings in incoming requests, which can be exploited by remote attackers via crafted inputs. Exploitation of this flaw allows attackers to execute unauthorized code or commands on the affected systems.

Remote Code Execution (RCE)

Remediation

Fortinet has released security patches addressing this vulnerability. Here is the below patched versions for the Fortinet products.

  • FortiOS: Upgrade to version 7.4.3, 7.2.7, or 7.0.14 and above.
  • FortiProxy: Upgrade to version 7.4.3, 7.2.9, or 7.0.16 and above.
  • FortiPAM: Migrate to the latest supported version.
  • FortiWeb: Upgrade to version 7.4.3 and above.

Workarounds

It is strongly advised to upgrade to the latest secure versions of the affected products. As there are workarounds suggested by Fortinet team, here is the below.
  • Disable the fgfm access on affected interfaces using the following command:
      config system interface
      edit “portX”
      set allow access ping https ssh
      next
      end
  • Limit FGFM connections to trusted IPs using a local-in policy, which reduces the attack surface but does not fully eliminate the risk.

General Recommendations

  • Conduct regular vulnerability scans and ensure timely security updates of the applications.
  • Segment your network to reduce the potential impact of a compromise.
Scroll to top