Critical Alert: FortiOS Vulnerable to Remote Code Execution (CVE-2024-23113)

On February 9, 2024, Fortinet disclosed a critical vulnerability in FortiOS that could leave systems wide open to remote exploitation. Dubbed CVE-2024-23113 (CVSS 9.8), this flaw has set the cybersecurity world abuzz, due to its potential to allow unauthenticated attackers to remotely execute code on affected devices.

CVE-2024-23113

This vulnerability exploits a format string flaw within the FortiOS fgfmd daemon, making it possible for attackers to craft malicious requests leading to remote code execution. The implications are dire, as it opens the door for attackers to infiltrate networks, siphon off sensitive data, or establish a foothold for further malicious activities.

To patch CVE-2024-23113, Fortinet recommends upgrading to

Version Affected Solution
FortiOS 7.4 7.4.0 through 7.4.2 Upgrade to 7.4.3 or above
FortiOS 7.2 7.2.0 through 7.2.6 Upgrade to 7.2.7 or above
FortiOS 7.0 7.0.0 through 7.0.13 Upgrade to 7.0.14 or above

Fortinet has responded swiftly, recommending upgrades to patched versions of FortiOS across affected versions to mitigate the risk. Moreover, the advisory also outlines temporary workarounds, including configuring system interfaces to limit potential attack vectors. For each interface, remove the fgfm access, for example, change:

onfig system interface

edit "portX"

set allowaccess ping https ssh fgfm

next

end

to :



config system interface

edit "portX"

set allowaccess ping https ssh

next

end

Note that this will prevent FortiGate discovery from FortiManager. Connections from the FortiGate will still work,” Fortinet explained.

Please also note that a local-in policy that only allows FGFM connections from a specific IP will reduce the attack surface but it won’t prevent the vulnerability from being exploited from this IP. As a consequence, this should be used as a mitigation and not as a complete workaround.

This vulnerability was disclosed alongside another critical issue, CVE-2024-21762, with a rating of 9.6. However, the spotlight was on CVE-2024-21762, especially since it was reported as being actively exploited in the wild.