Executive Summary

Recent assessments have identified critical vulnerabilities within Fortinet products, including FortiAnalyzer, FortiManager, FortiOS, and FortiSandbox. Though no immediate exploitation in the wild or connections to Advanced Persistent Threat (APT) groups have been observed, these vulnerabilities present significant risks that could lead to unauthorized data access, privilege escalation, and potential system compromises. It is imperative for organizations leveraging these products to understand the potential impacts and adopt necessary security measures.

Technical Information

Fortinet, a prominent player in cybersecurity solutions, has disclosed several vulnerabilities in its products, emphasizing the need for proactive security measures. One such vulnerability is CVE-2024-40585, which affects FortiAnalyzer and FortiManager versions 7.4.0, 7.2.3, 7.2.2, 7.2.1, and 7.2.0. This flaw results in the insertion of sensitive information into event logs, which can be accessed by users with limited privileges, posing a risk of unauthorized data exposure. Further details can be accessed through the Fortinet PSIRT Advisory (https://www.fortiguard.com/psirt/FG-IR-24-311) and NVD (https://nvd.nist.gov/vuln/detail/CVE-2024-40585).

Another critical vulnerability is CVE-2024-27781, identified in FortiSandbox versions 4.4.4 to 4.4.0. This issue arises from improper input neutralization, allowing attackers to execute cross-site scripting (XSS) attacks by inserting malicious scripts into a user's browser context. Potentially, this could lead to unauthorized actions on behalf of the user. Additional information is available in the Fortinet PSIRT Advisory (https://fortiguard.fortinet.com/psirt/FG-IR-24-063).

CVE-2024-36508 poses a path traversal vulnerability in FortiAnalyzer and FortiManager versions 7.4.2, 7.4.1, 7.4.0, 7.2.5, and 7.2.4. This flaw allows unauthorized file deletion, potentially leading to data loss or alteration. Refer to the Fortinet PSIRT Advisory for more details (https://www.fortiguard.com/psirt/FG-IR-24-147).

The CVE-2024-40584 vulnerability involves OS command injection vulnerabilities in FortiAnalyzer, FortiAnalyzer Cloud, FortiAnalyzer-BigData, FortiManager, and FortiManager Cloud versions 7.4.3, 7.4.2, 7.4.1, 7.4.0, and 7.2.5. These vulnerabilities allow unauthorized command execution with elevated privileges, posing a risk of system compromise. For more insights, visit the Fortinet PSIRT Advisory (https://fortiguard.fortinet.com/psirt/FG-IR-24-220).

CVE-2024-40591 highlights a permission escalation flaw due to improper privilege management in FortiOS versions 7.6.0, 7.4.4, 7.4.3, 7.4.2, and 7.4.1. This issue can lead to unauthorized access and potential configuration changes. Detailed information is available in the Fortinet PSIRT Advisory (https://www.fortiguard.com/psirt/FG-IR-24-302).

Lastly, CVE-2024-35279 involves a stack buffer overflow in the Fabric Service of FortiOS versions 7.4.4 to 7.4.0. This vulnerability may allow remote code execution, posing significant risks to system integrity. For further information, refer to the Fortinet PSIRT Advisory (https://www.fortiguard.com/psirt/FG-IR-24-160).

Exploitation in the Wild

Currently, there are no verified instances of these vulnerabilities being exploited in live environments. Organizations should nevertheless maintain vigilance and monitor for indicators of compromise (IOCs) that may suggest exploitation attempts. Keeping systems up-to-date with the latest patches and implementing robust security monitoring can help mitigate potential risks.

APT Groups using this vulnerability

At this time, there are no known associations between these vulnerabilities and APT groups. However, given the evolving nature of cyber threats, it remains crucial to stay informed about potential risks and emerging attack vectors.

Affected Product Versions

The vulnerabilities affect the following product versions:

• CVE-2024-40585: FortiAnalyzer and FortiManager versions 7.4.0, 7.2.3, 7.2.2, 7.2.1, 7.2.0
• CVE-2024-27781: FortiSandbox versions 4.4.4, 4.4.3, 4.4.2, 4.4.1, 4.4.0
• CVE-2024-36508: FortiAnalyzer and FortiManager versions 7.4.2, 7.4.1, 7.4.0, 7.2.5, 7.2.4
• CVE-2024-40584: FortiAnalyzer, FortiAnalyzer Cloud, FortiAnalyzer-BigData, FortiManager, FortiManager Cloud versions 7.4.3, 7.4.2, 7.4.1, 7.4.0, 7.2.5
• CVE-2024-40591: FortiOS versions 7.6.0, 7.4.4, 7.4.3, 7.4.2, 7.4.1
• CVE-2024-35279: FortiOS versions 7.4.4, 7.4.3, 7.4.2, 7.4.1, 7.4.0

Workaround and Mitigation

Organizations are advised to apply the latest patches provided by Fortinet to address these vulnerabilities. Additionally, implementing strong access controls, monitoring network traffic for anomalous activities, and ensuring regular system audits can help mitigate potential risks. For detailed guidance, refer to Fortinet's official advisories linked in this report.

References

For further information on the vulnerabilities and mitigation strategies, please visit the following resources:

• Fortinet PSIRT Advisory for CVE-2024-40585 (https://www.fortiguard.com/psirt/FG-IR-24-311)
• Fortinet PSIRT Advisory for CVE-2024-27781 (https://fortiguard.fortinet.com/psirt/FG-IR-24-063)
• Fortinet PSIRT Advisory for CVE-2024-36508 (https://www.fortiguard.com/psirt/FG-IR-24-147)
• Fortinet PSIRT Advisory for CVE-2024-40584 (https://fortiguard.fortinet.com/psirt/FG-IR-24-220)
• Fortinet PSIRT Advisory for CVE-2024-40591 (https://www.fortiguard.com/psirt/FG-IR-24-302)
• Fortinet PSIRT Advisory for CVE-2024-35279 (https://www.fortiguard.com/psirt/FG-IR-24-160)

Rescana is here for you

At Rescana, we are committed to supporting our clients in navigating cybersecurity challenges. Our Third Party Risk Management (TPRM) platform assists organizations in identifying, assessing, and mitigating risks associated with third-party vendors and products. Should you have any questions or require further assistance, please reach out to us at ops@rescana.com. We are here to help ensure the security and resilience of your organization's cybersecurity posture.