Executive Summary

In October 2024, the cybersecurity landscape was shaken by the revelation of a critical vulnerability, CVE-2024-23113, affecting multiple Fortinet products. This vulnerability, which has been added to the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities Catalog, poses a significant threat to organizations worldwide. The flaw allows attackers to execute unauthorized code or commands through specially crafted packets, exploiting an externally-controlled format string. With a CVSS score of 9.8, the urgency for mitigation cannot be overstated. This report delves into the technical intricacies of the vulnerability, its exploitation in the wild, and the necessary steps for mitigation.

Technical Information

CVE-2024-23113 is a format string vulnerability identified in several Fortinet products, including FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager. The vulnerability stems from the fgfmd daemon's acceptance of an externally controlled format string as an argument. This flaw can be exploited by sending specially crafted packets to the vulnerable system, allowing attackers to execute arbitrary code with the privileges of the affected service. The vulnerability's critical nature is underscored by its CVSS score of 9.8, highlighting the potential for severe impact on affected systems.

The vulnerability affects a wide range of Fortinet product versions. FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, and 7.0.0 through 7.0.13 are vulnerable. Similarly, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, and 7.0.0 through 7.0.14 are affected. FortiPAM versions 1.2.0, 1.1.0 through 1.1.2, and 1.0.0 through 1.0.3, as well as FortiSwitchManager versions 7.2.0 through 7.2.3 and 7.0.0 through 7.0.3, are also impacted.

The vulnerability's exploitation involves sending specially crafted packets to the vulnerable system, which are then processed by the fgfmd daemon. This processing allows attackers to execute arbitrary code, potentially leading to unauthorized access, data exfiltration, or further compromise of the affected network. The vulnerability's critical nature and the potential for widespread exploitation necessitate immediate attention and remediation.

Exploitation in the Wild

CVE-2024-23113 has been actively exploited in the wild, as evidenced by its inclusion in CISA's Known Exploited Vulnerabilities Catalog. Malicious actors have leveraged this vulnerability to execute remote code on vulnerable systems, posing significant risks to affected organizations. The exploitation of this vulnerability has been observed in targeted attacks, with attackers using specially crafted packets to gain unauthorized access to vulnerable systems. Indicators of Compromise (IOCs) associated with this vulnerability include unusual network traffic patterns, unexpected system behavior, and unauthorized access attempts.

APT Groups using this vulnerability

While specific Advanced Persistent Threat (APT) groups exploiting CVE-2024-23113 have not been publicly identified, the vulnerability's critical nature and potential for widespread exploitation make it an attractive target for APT groups. Organizations in sectors such as finance, healthcare, and government, particularly in regions with high geopolitical tensions, should remain vigilant and prioritize the remediation of this vulnerability.

Affected Product Versions

The following Fortinet product versions are affected by CVE-2024-23113: FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, and 7.0.0 through 7.0.13; FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, and 7.0.0 through 7.0.14; FortiPAM versions 1.2.0, 1.1.0 through 1.1.2, and 1.0.0 through 1.0.3; and FortiSwitchManager versions 7.2.0 through 7.2.3 and 7.0.0 through 7.0.3.

Workaround and Mitigation

Organizations using affected Fortinet products are strongly advised to apply the latest security patches provided by Fortinet. If patches are unavailable, consider discontinuing the use of vulnerable products until mitigations are implemented. Additionally, organizations should implement network segmentation, monitor network traffic for unusual patterns, and employ intrusion detection systems to identify and respond to potential exploitation attempts.

References

For further information on CVE-2024-23113, please refer to the following resources: CISA Alert: CISA Adds Three Known Exploited Vulnerabilities to Catalog (https://www.cisa.gov/news-events/alerts/2024/10/09/cisa-adds-three-known-exploited-vulnerabilities-catalog), NVD Entry: CVE-2024-23113 Detail - NVD (https://nvd.nist.gov/vuln/detail/CVE-2024-23113), and Fortinet Advisory: Fortinet PSIRT Advisory FG-IR-24-029 (https://fortiguard.com/psirt/FG-IR-24-029).

Rescana is here for you

At Rescana, we understand the challenges posed by emerging cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform is designed to help organizations identify, assess, and mitigate vulnerabilities in real-time. We are committed to supporting our customers in navigating the complex cybersecurity landscape. For any questions or further assistance, please contact us at ops@rescana.com.