Fortinet Products Multiple Vulnerabilities

Multiple vulnerabilities were identified in Fortinet Products. A remote attacker could exploit some of these vulnerabilities to trigger denial of service condition, remote code execution, sensitive information disclosure and cross-site scripting on the targeted system.

[Updated on 2024-02-19] 

For CVE-2024-21762, a out-of-bounds write vulnerability in FortiOS and FortiProxy may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests.

Note: This is potentially being exploited in the wild. Hence, the risk level is rated from Medium Risk to Extremely High Risk.

[Updated on 2024-10-10] 

Note: CVE-2024-23113 is potentially being exploited in the wild

For CVE-2024-23113, a use of externally-controlled format string vulnerability in FortiOS and FortiProxy may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.

Updated System / Technologies affected, Solutions and Related Links.

Impact

• Denial of Service
• Remote Code Execution
• Information Disclosure
• Cross-Site Scripting

System / Technologies affected

For CVE-2024-21762

• FortiOS 7.4 version 7.4.0 through 7.4.2
• FortiOS 7.2 version 7.2.0 through 7.2.6
• FortiOS 7.0 version 7.0.0 through 7.0.13
• FortiOS 6.4 version 6.4.0 through 6.4.14
• FortiOS 6.2 version 6.2.0 through 6.2.15
• FortiOS 6.0 version all versions
• FortiProxy 7.4 version 7.4.0 through 7.4.2
• FortiProxy 7.2 version 7.2.0 through 7.2.8
• FortiProxy 7.0 version 7.0.0 through 7.0.14
• FortiProxy 2.0 version 2.0.0 through 2.0.13
• FortiProxy 1.2 all versions
• FortiProxy 1.1 all versions
• FortiProxy 1.0 all versions

For CVE-2024-23113

• FortiOS 7.4 version 7.4.0 through 7.4.2
• FortiOS 7.2 version 7.2.0 through 7.2.6
• FortiOS 7.0 version 7.0.0 through 7.0.13
• FortiPAM 1.2 all versions
• FortiPAM 1.1 all versions
• FortiPAM 1.0 all versions
• FortiProxy 7.4 version 7.4.0 through 7.4.2
• FortiProxy 7.2 version 7.2.0 through 7.2.8
• FortiProxy 7.0 version 7.0.0 through 7.0.15
• FortiWeb 7.4 version 7.4.0 through 7.4.2

For Others CVE

• FortiNAC version 7.2.0 through 7.2.2
• FortiNAC 8.3 all versions
• FortiNAC 8.5 all versions
• FortiNAC 8.6 all versions
• FortiNAC 8.7 all versions
• FortiNAC 8.8 all versions
• FortiNAC 9.1 all versions
• FortiNAC 9.2 all versions
• FortiNAC version 9.4.0 through 9.4.3
• FortiOS 6.4 all versions
• FortiOS version 7.0.0 through 7.0.15
• FortiOS version 7.2.0 through 7.2.7
• FortiOS version 7.4.0 through 7.4.1
• FortiProxy 7.0 all versions
• FortiProxy version 7.2.0 through 7.2.7
• FortiProxy version 7.4.0 through 7.4.1
• FortiClientEMS 7.2 version 7.2.0 through 7.2.2 
• FortiClientEMS 7.0 version 7.0.6 through 7.0.10 
• FortiClientEMS 7.0 version 7.0.0 through 7.0.4 
• FortiClientEMS 6.4 all versions 
• FortiClientEMS 6.2 all versions 

Solutions

Before installation of the software, please visit the vendor web-site for more details.

Apply fixes issued by the vendor:

For CVE-2024-21762

• https://fortiguard.fortinet.com/psirt/FG-IR-24-015

For CVE-2024-23113

• https://fortiguard.fortinet.com/psirt/FG-IR-24-029

For Others CVE

• https://fortiguard.fortinet.com/psirt/FG-IR-23-063
• https://fortiguard.fortinet.com/psirt/FG-IR-23-301
• https://fortiguard.fortinet.com/psirt/FG-IR-23-357
• https://fortiguard.fortinet.com/psirt/FG-IR-23-397

Vulnerability Identifier

• CVE-2023-26206
• CVE-2023-44487
• CVE-2023-45581
• CVE-2023-47537
• CVE-2024-21762
• CVE-2024-23113

Source

• Fortinet

Related Link

• https://fortiguard.fortinet.com/psirt/FG-IR-23-063
• https://fortiguard.fortinet.com/psirt/FG-IR-23-301
• https://fortiguard.fortinet.com/psirt/FG-IR-23-357
• https://fortiguard.fortinet.com/psirt/FG-IR-23-397
• https://fortiguard.fortinet.com/psirt/FG-IR-24-015
• https://fortiguard.fortinet.com/psirt/FG-IR-24-029
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog