Executive Summary

In the rapidly evolving landscape of cybersecurity threats, the recent discovery of a critical remote code execution (RCE) vulnerability in Fortinet's FortiOS, identified as CVE-2024-23113, has raised significant concerns. This vulnerability is actively being exploited in the wild, posing substantial risks to organizations utilizing affected Fortinet products. The sectors and countries targeted by Advanced Persistent Threat (APT) groups exploiting this vulnerability include critical infrastructure sectors in the United States and Europe. This report aims to provide Rescana's customers with a comprehensive understanding of the vulnerability, its exploitation, and recommended mitigation strategies to safeguard their network infrastructure.

Technical Information

The vulnerability, CVE-2024-23113, affects several Fortinet products, including FortiOS 7.0 and later, FortiPAM 1.0 and higher, FortiProxy 7.0 and above, and FortiWeb 7.4. The flaw is attributed to the fgfmd daemon, which erroneously accepts an externally controlled format string as an argument. This vulnerability allows unauthenticated threat actors to execute commands or arbitrary code on unpatched devices through low-complexity attacks that do not require user interaction. The technical impact of this vulnerability is severe, as successful exploitation can lead to unauthorized command execution, potentially compromising the entire network infrastructure. The vulnerability has been added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities Catalog, highlighting its critical nature.

Exploitation in the Wild

The active exploitation of CVE-2024-23113 has been confirmed by CISA, with reports indicating that threat actors are leveraging this vulnerability to gain unauthorized access to vulnerable systems. The Dutch Military Intelligence and Security Service (MIVD) previously reported that Chinese hackers exploited a similar FortiOS RCE vulnerability, CVE-2022-42475, to breach and infect Fortigate network security appliances. Indicators of Compromise (IOCs) associated with this exploitation include unusual network traffic patterns, unauthorized access attempts, and the presence of malicious scripts or executables on affected systems.

APT Groups using this vulnerability

The exploitation of CVE-2024-23113 has been linked to several APT groups, including those with ties to nation-state actors. These groups have been known to target critical infrastructure sectors in the United States and Europe, aiming to disrupt operations and exfiltrate sensitive data. The involvement of such sophisticated threat actors underscores the importance of addressing this vulnerability promptly to mitigate potential risks.

Affected Product Versions

The products affected by CVE-2024-23113 include FortiOS 7.0 and later, FortiPAM 1.0 and higher, FortiProxy 7.0 and above, and FortiWeb 7.4. Organizations using these versions are at risk and should take immediate action to secure their systems.

Workaround and Mitigation

To mitigate the risks associated with CVE-2024-23113, Fortinet has advised removing access to the fgfmd daemon for all interfaces. This measure will prevent FortiGate discovery from FortiManager, although connections from FortiGate will still be possible. Additionally, implementing a local-in policy that restricts FGFM connections to specific IP addresses can reduce the attack surface. It is crucial to note that this is a mitigation, not a complete workaround. Organizations are strongly urged to apply the latest security patches provided by Fortinet to address this vulnerability effectively.

References

For further information, please refer to the following resources: Bleeping Computer Article: CISA says critical Fortinet RCE flaw now exploited in attacks (https://www.bleepingcomputer.com/news/security/cisa-says-critical-fortinet-rce-flaw-now-exploited-in-attacks/), CISA Known Exploited Vulnerabilities Catalog, and Fortinet Security Advisory (February 2024).

Rescana is here for you

At Rescana, we understand the challenges posed by emerging cybersecurity threats and are committed to helping our customers navigate these complexities. Our Continuous Threat and Exposure Management (CTEM) platform is designed to provide comprehensive insights into vulnerabilities and assist in implementing effective mitigation strategies. We are here to support you in safeguarding your network infrastructure. For further assistance or inquiries, please contact our cybersecurity team at ops@rescana.com.