Fortinet urges patching N-day bug amid ongoing nation-state exploitation

Fortinet has advised users to immediately patch an N-day vulnerability in its systems being potentially exploited in the wild to carry out remote code execution (RCE) attacks.

Tracked as CVE-2024-21762, the flaw has a “critical” severity rating with a CVSS score of 9.6 and allows a remote unauthenticated actor to execute arbitrary commands by specially crafted HTTP requests.

While the company did not share more details on the bug’s exploitation, a Fortinet report published a day before emphasized the importance of patching a few known vulnerabilities as they have been actively exploited by a China-backed espionage campaign.

“The best defense against any N-Day vulnerability is following good cyber hygiene, including remediation guidance and timely patching,” Fortinet said in the report. “The complexity of the exploit suggests an advanced actor, and the fact the attacks are highly targeted at governmental or strategic targets such as critical national infrastructure, manufacturing, and service providers in government-adjacent industries suggests nation-state capability.”

“N-day” refers to known vulnerabilities with available patches that have not been applied by organizations, leaving them open to exploitation.

Immediate patching or a workaround is advised

Attackers are likely exploiting the “out-of-bounds write” vulnerability in the Secure Socket Layer Virtual Private Network (SSL VPN) service within the Fortinet operating system FortiOS, according to the company.

SSL VPNs are trusted secure connections to private organization networks. A vulnerability like CVE-2024-21762 allows attackers to access and exploit systems on these secure channels.

The vulnerability affects FortiOS versions 7.4 (before 7.4.2), 7.2 (before 7.2.6), 7.0 (before 7.0.13), 6.4 (before 6.4.14), 6.2 (before 6.2.15), 6.0 (all versions). While patches have been rolled out with the successive releases of Fortinet versions 6.2, 6.4, 7.0, 7.2, and 7.4 have reached the end of support, version 7.6 is not affected by the vulnerability.

Users unable to upgrade to patched versions are advised to disable SSL VPN as a workaround.

Fortinet has warned against one more critical vulnerability (CVSS 9.8), with no known exploitations yet, tracked under CVE-2024-23113 that also allows remote code execution (RCE) by using the “externally-controlled format string vulnerability” in the FortiOS fgfmd daemon, another secure connection authentication module.

Fortinet warns against nation-state exploitations

In the report, Fortinet underlined the tactics, techniques, and procedures (TTPs) used by China-backed threat actor, Volt Typhoon, to exploit Fortinet’s known bugs to gain initial access to target systems.

The company revealed that Chinese hackers likely exploited Fortinet N-days disclosed in December 2022 (CVE-2022-42475), and June 2023 (CVE-2023-27997) for targeting critical infrastructure organizations, as the incident investigation revealed the use of living-of-the-land (LOTL) binaries consistent with Volt Typhoon’s TTPs.

The attribution was confirmed by a cybersecurity infrastructure security agency (CISA) advisory issued the same day as the Fortinet report.

Use of Fortinet flaws by Volt Typhoon is among the many techniques the People’s Republic of China (PRC) has been using to hack into critical US systems, according to Cynthia Kaiser, deputy assistant director for the FBI’s cybersecurity division, as cited by The Register.

The FBI reportedly submitted a request last week to renew Section 702 of the Foreign Intelligence Surveillance Act (FISA), which allows federal officers to spy on foreigners’ overseas electronic communications.


Go to Source