87,000+ Fortinet devices still open to attack, are yours among them? (CVE-2024-23113)
Last week, CISA added CVE-2024-23113 – a critical vulnerability that allows unauthenticated remote code/command execution on unpatched Fortinet FortiGate firewalls – to its Known Exploited Vulnerabilities catalog, thus confirming that it’s being leveraged by attackers in the wild.
The Shadowserver Foundation shared on Sunday that there are still 87,000+ internet-facing Fortinet devices likely vulnerable to the flaw.
About CVE-2024-23113
CVE-2024-23113, a format string vulnerability that affects the FortiOS FGFM (FortiGate to FortiManager) daemon and can be triggered via specially crafted requests, was discovered and reported by Gwendal Guégniaud of Fortinet Product Security team and patched in early February 2024 in FortiOS versions 7.4.3, 7.2.7 and 7.0.14.
Since then, Fortinet’s advisory has been modified to confirm additional affected products and to share a mitigation measure that includes removing FGFM access.
“Note that this will prevent FortiGate discovery from FortiManager [a solution for managing Fortinet products]. Connection will still be possible from FortiGate,” the company warned.
“Please also note that a local-in policy that only allows FGFM connections from a specific IP will reduce the attack surface but it won’t prevent the vulnerability from being exploited from this IP. As a consequence, this should be used as a mitigation and not as a complete workaround.”
At the time, the vulnerability did not attract much attention from the cybersecurity community, but it’s now obvious that it didn’t pass unnoticed by threat actors.
Unfortunately, details about the attacks are still under wraps, and we don’t know whether the bug is being exploited for cyber espionage or ransomware delivery.
On Monday, watchTowr Labs released their analysis of the vulnerability and shared the difficulties they encountered when leveraging a tool they created for testing for its presence, due to the various firmware versions reacting differently to probing attempts.
“It looks like Fortinet added some kind of certificate validation logic in the 7.4 series, meaning that we can’t even connect to it (let alone send our payload) without being explicitly permitted by a device administrator. We also checked the 7.0 branch, and here we found things even more interesting, as an unpatched instance would allow us to connect with a self-signed certificate, while a patched machine requires a certificate signed by a configured CA,” watchTowr Labs researcher Aliz Hammond explained.
“We did some reversing and determined that the certificate must be explicitly configured by the administrator of the device, which limits exploitation of these machines to the managing FortiManager instance (which already has superuser permissions on the device) or the other component of a high-availability pair.”
Enterprise admins are advised to upgrade affected devices to a version containing the fix and, according to security researcher Kevin Beaumont, to be on the lookout for FortiManager patches fixing an undisclosed flaw affecting the same component (i.e., FGFM).