Fortinet FortiOS contains an out-of-bound write vulnerability that allows a remote unauthenticated attacker to execute code or commands via specially crafted HTTP requests.
FREQUENTLY ASKED
What is CVE-2024-21762 and why does it matter?
CVE-2024-21762 is a critical out-of-bounds write vulnerability (CWE-787) in Fortinet FortiOS and FortiProxy with a CVSS score of 9.6. It is significant because it allows remote, unauthenticated attackers to execute unauthorized code or commands via specially crafted HTTP requests. This vulnerability is actively being exploited in the wild and has been linked to known ransomware operations, making it a severe threat to infrastructure integrity.
Which versions of the product are affected?
The vulnerability affects FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, and 6.0.0 through 6.0.17. It also impacts FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, and 1.0.0 through 1.0.7.
Has a patch been released for CVE-2024-21762?
Yes, Fortinet has released official patches for this vulnerability. Security administrators should refer to the FortiGuard PSIRT advisory FG-IR-24-015 for specific firmware upgrade instructions. The remediation involves updating to the latest non-vulnerable versions of FortiOS and FortiProxy. Because the vulnerability is being actively exploited, applying these updates is the primary recommended course of action.
What is the remediation deadline and what does it mean for compliance?
The remediation deadline is 2024-02-16. For organizations following CISA's Known Exploited Vulnerabilities (KEV) catalog and Binding Operational Directive (BOD) 22-01, this date represents a mandatory deadline for federal agencies to mitigate the risk. For private sector organizations, this deadline serves as a critical benchmark for high-priority risk management and compliance with industry security standards.
How do I check if my deployment is affected?
To check if your instance is affected, log into your Fortinet device and verify the current firmware version of FortiOS or FortiProxy. Compare your version against the affected ranges provided in the Source Data (e.g., FortiOS 7.4.0-7.4.2). If your version falls within these ranges, your deployment is vulnerable and you must proceed with the recommended firmware updates immediately to prevent potential exploitation.
CVE-2024-21762 identifies a critical out-of-bounds write vulnerability (CWE-787) in Fortinet FortiOS and FortiProxy. With a CVSS score of 9.6, this flaw allows a remote, unauthenticated attacker to execute arbitrary code or commands through specially crafted HTTP requests. Due to active exploitation and known use by ransomware actors, immediate remediation is required by February 16, 2024.
The core issue in CVE-2024-21762 is CWE-787: Out-of-bounds Write. In the context of FortiOS and FortiProxy, this occurs when the software writes data past the end of an intended buffer. Unlike a standard buffer overflow which might simply overwrite adjacent stack variables, an out-of-bounds write is often more surgical, allowing an attacker to corrupt sensitive memory locations, such as function pointers or return addresses.
Imagine a post-office where a clerk is instructed to write an address on an envelope but continues writing across the desk and onto a nearby ledger. In a computing environment, that "ledger" contains the instructions the processor uses to decide what to do next. By carefully crafting an HTTP request, an attacker can influence what data is written and where it lands in memory, effectively hijacking the execution flow of the system.
Attack Surface and Blast Radius
The attack surface for this vulnerability is primarily the management interface or the SSL-VPN portal if they are exposed to the network. Since the vulnerability is triggered via HTTP requests, it is inherently reachable over the network without any prior authentication or user interaction.
Given that Fortinet devices often sit at the edge of the network, acting as firewalls or VPN gateways, the blast radius of a successful exploit is total. An attacker gaining code execution on a FortiOS device effectively controls the gateway to the internal network. This can lead to credential theft, lateral movement, and the deployment of ransomware, as corroborated by the "Known Ransomware Use" status in the source data. The extremely high EPSS score (99.8th percentile) underscores that this is not a theoretical risk but a primary target for automated scanning and exploitation tools.
Who Is Affected?
Affected Versions Summary
This vulnerability spans a wide range of Fortinet products and versions, reflecting a deep-seated issue within the underlying code shared across multiple branches:
FortiOS 7.4: 7.4.0 through 7.4.2
FortiOS 7.2: 7.2.0 through 7.2.6
FortiOS 7.0: 7.0.0 through 7.0.13
FortiOS 6.4: 6.4.0 through 6.4.14
FortiOS 6.2: 6.2.0 through 6.2.15
FortiOS 6.0: 6.0.0 through 6.0.17
FortiProxy: Spanning versions 1.0.x through 7.4.2.
Organizations utilizing Fortinet for secure remote access (SSL-VPN) or as their primary perimeter firewall are at the highest risk. This includes government agencies, healthcare providers, and critical infrastructure sectors where high availability and security are paramount.
CISA KEV and Compliance Requirements
CISA has added CVE-2024-21762 to the Known Exploited Vulnerabilities (KEV) catalog. Under Binding Operational Directive (BOD) 22-01, federal agencies were required to apply the necessary patches by the remediation deadline of 2024-02-16. For the private sector, this deadline is a clear indicator that any delay in patching significantly increases the probability of a compromise. Non-compliance with this timeline may also impact cybersecurity insurance eligibility and regulatory audits.
Official Remediation Steps
Security administrators must act immediately to secure their Fortinet deployments by following these steps:
Identify Vulnerable Assets: Use the Fortinet management console to inventory all FortiOS and FortiProxy instances and record their current firmware versions.
Download Verified Firmware: Access the Fortinet Support portal to download the appropriate firmware update for your hardware model.
Execute Update Window: Schedule a maintenance window to apply the firmware updates. Ensure you follow the vendor's recommended upgrade path (e.g., updating from 7.0.13 to the latest fixed 7.0.x release).
Verify Mitigation: After the reboot, confirm the firmware version reflects the patched release and monitor system logs for any anomalous HTTP traffic or unauthorized access attempts.
Decommission If Unpatchable: If your hardware is end-of-life and cannot be updated to a non-vulnerable version, CISA and Fortinet recommend discontinuing the use of the product immediately.
Security Best Practices for Fortinet Environments
Beyond patching CVE-2024-21762, organizations should implement the following defensive measures to mitigate similar memory-corruption vulnerabilities:
Restrict Management Access: Ensure that management interfaces (HTTPS/SSH) are not exposed to the public internet. Use out-of-band management or restricted jump boxes.
Enable SSL-VPN Best Practices: If SSL-VPN must be used, implement Multi-Factor Authentication (MFA) and consider migrating to ZTNA (Zero Trust Network Access) which provides more granular access control.
Implement Geo-Blocking: Use FortiOS's built-in geo-blocking features to prevent traffic from regions where your organization does not have a legitimate business presence.
Network Segmentation: Isolate the security appliance from sensitive internal segments. Even if the firewall is compromised, robust internal segmentation can limit the attacker's ability to move laterally.
Enable IPS and Web Filtering: Utilize FortiGuard Intrusion Prevention System (IPS) signatures specifically designed to detect and block "crafted HTTP requests" that target known vulnerabilities.
Regular Configuration Audits: Periodically review the device configuration for unnecessary services or legacy protocols that increase the attack surface.
Log Centralization: Stream all logs from Fortinet devices to a central SIEM (Security Information and Event Management) system to facilitate rapid detection of post-exploitation activity.