Author: Swarup

Security Advisory

Critical Fortinet Vulnerability Exploiting in Wild

Summary

OEM

Fortinet

Severity

Critical

Date of Announcement

2024-10-16

CVSS Score

9.8

CVE

CVE-2024-23113

CWE

CWE-134

Exploited in Wild

Yes

Patch/Remediation Available

Yes

Advisory Version

1.0

Overview

A Critical vulnerability (CVE-2024-23113) has been identified in the FortiOS fgfmd daemon, which enables unauthenticated attackers to remotely execute arbitrary code or commands. This flaw arises from a format string vulnerability (CWE-134) within the fgfmd daemon, where specially crafted requests can initiate arbitrary code execution, potentially resulting in full system compromise. Affected versions include multiple releases of FortiOS, FortiPAM, FortiProxy, and FortiWeb.

Vulnerability Name

CVE ID

Product Affected

Impact

CVSS Score

Fortinet Products Format Sting Vulnerability

CVE-2024-23113

FortiOS, FortiProxy, FortiPAM, FortiWeb

Critical

9.8

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-23113

FortiOS (7.4.0-7.4.2, 7.2.0-7.2.6, 7.0.0-7.0.13), FortiProxy (7.4.0-7.4.2, 7.2.0-7.2.8, 7.0.0-7.0.15), FortiPAM (1.2 and lower), FortiWeb (7.4.0-7.4.2)

The vulnerability lies in the fgfmd daemon’s handling of format strings in incoming requests, which can be exploited by remote attackers via crafted inputs. Exploitation of this flaw allows attackers to execute unauthorized code or commands on the affected systems.

Remote Code Execution (RCE)

Remediation

Fortinet has released security patches addressing this vulnerability. Here is the below patched versions for the Fortinet products.

  • FortiOS: Upgrade to version 7.4.3, 7.2.7, or 7.0.14 and above.
  • FortiProxy: Upgrade to version 7.4.3, 7.2.9, or 7.0.16 and above.
  • FortiPAM: Migrate to the latest supported version.
  • FortiWeb: Upgrade to version 7.4.3 and above.

Workarounds

It is strongly advised to upgrade to the latest secure versions of the affected products. As there are workarounds suggested by Fortinet team, here is the below.
  • Disable the fgfm access on affected interfaces using the following command:
      config system interface
      edit “portX”
      set allow access ping https ssh
      next
      end
  • Limit FGFM connections to trusted IPs using a local-in policy, which reduces the attack surface but does not fully eliminate the risk.

General Recommendations

  • Conduct regular vulnerability scans and ensure timely security updates of the applications.
  • Segment your network to reduce the potential impact of a compromise.

References

Security Advisory

Zimbra Remote Code Execution Vulnerability (CVE-2024-45519)

Summary

OEM

Zimbra

Severity

Critical

Date of Announcement

2024-10-02

CVSS Score

10.0

CVE

CVE-2024-45519

CWE

--

Exploited in Wild

Yes

Patch/Remediation Available

Yes

Advisory Version

1.0

Overview

A critical vulnerability (CVE-2024-29847) has been identified in Ivanti Endpoint Manager, allowing unauthenticated attackers to execute arbitrary code remotely. This flaw is due to a deserialization of untrusted data issue in the AgentPortal.exe service, specifically within the .NET Remote framework. Exploitation can allow attackers to perform file operations such as reading or writing files on the server, potentially leading to full system compromise.

Vulnerability Name

CVE ID

Product Affected

Impact

CVSS Score

Zimbra - Remote Command Execution

CVE-2024-45519

Zimbra Collaboration Suite (ZCS)

Critical

10.0

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-45519

Zimbra Collaboration Suite (ZCS) prior to 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1

Attackers sent spoofed emails, appearing to be from Gmail, with base64-encoded malicious code in the CC field. This code tricks Zimbra server into executing it as shell commands instead of processing it as email addresses. The goal is to create a web shell on vulnerable servers, enabling remote access and control. Once installed, the web shell listens for specific cookie values to execute commands or download malicious files.

Complete remote control of the affected Zimbra instance.

Remediation

  • Patch Immediately
    • Administrators are strongly advised to update their Zimbra servers to the latest patched versions: 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, 10.1.1
  • Disable postjournal if unused
    • To minimize the attack surface, it is advisable to completely disable the postjournal service if your organization doesn’t require it.
  • Verify Network Configurations
    • Ensure that the mynetworks parameter is correctly configured to limit access to trusted IP ranges, preventing unauthorized access.
  • Monitor for Indicators of Compromise (IoCs)
    • Security teams should monitor network traffic and Zimbra server logs for unusual activity, such as connections from suspicious IP addresses (e.g., 79.124.49[.]86).

References

Scroll to top