Fortinet has revealed a new critical Remote Code Execution (RCE) vulnerability in FortiOS SSL VPN, cautioning about potential exploitation in ongoing attacks.
Tracked as CVE-2024-21762 (CVSS: 9.6), the critical vulnerability is an out-of-bounds write issue in FortiOS. It enables unauthenticated attackers to execute RCE through maliciously crafted requests.
SOCRadar Vulnerability Card for CVE-2024-21762
The affected FortiOS versions include:
- FortiOS 7.6
- FortiOS 7.4
- FortiOS 7.2
- FortiOS 7.0
- FortiOS 6.4
- FortiOS 6.2
- FortiOS 6.0
Fortinet advises upgrading to the latest versions listed in the advisory to patch the FortiOS SSL VPN vulnerability. If unable to apply patches immediately, as a mitigation method, you can disable SSL VPN on FortiOS devices.
According to a Shodan search, over 310,000 Fortigate firewalls are accessible from the Internet.
Shodan search on exposed Fortigate firewalls
In addition to CVE-2024-21762, Fortinet disclosed another critical vulnerability, CVE-2024-23113 (CVSS: 9.8), although it has not been reported as exploited in the wild.
With SOCRadar’s Vulnerability Intelligence, you can track hacker trends and access detailed information on identified vulnerabilities, as well as view if a particular vulnerability has an associated exploit detected.
SOCRadar’s Vulnerability Intelligence
Concerningly, Fortinet recently revealed that Chinese state-sponsored threat actors, known as Volt Typhoon, target FortiOS vulnerabilities to deploy custom malware. CISA has also issued guides to mitigate the impact of this threat group. Following recommended measures to mitigate vulnerabilities in such popular products, which are also targeted by specific threat actors, holds great importance.
Shim Security Update for Critical Vulnerabilities Affecting Secure Boot on Linux
The maintainers of shim addressed six vulnerabilities, including a critical flaw that could potentially lead to Remote Code Execution (RCE) under specific circumstances.
In the context of Secure Boot on Linux, “shim” refers to a pre-bootloader program that works with Secure Boot firmware on UEFI systems. Most Linux distributions use it in the boot process; it allows trusted bootloaders and kernel modules to be loaded and executed if they are not included in the Secure Boot database. The shim verifies the signatures of these components to ensure their integrity and authenticity during boot.
It is frequently used when either the bootloader or the operating system kernel lacks a signature recognized by the UEFI firmware. The shim, signed with a key trusted by the firmware, enables the loading and execution of an unsigned bootloader or kernel.
The critical vulnerability tracked as CVE-2023-40547 (CVSS score: 9.8) resides in HTTP boot support and could lead to Secure Boot bypass.
SOCRadar Vulnerability Card for CVE-2023-40547
The vulnerability occurs because the shim boot support trusts attacker-controlled values when parsing an HTTP response. This allows an attacker to craft a specific malicious HTTP request, leading to an out-of-bounds write that can result in a complete system compromise.
The critical vulnerability, discovered by Bill Demirkapi from MSRC, is warned to impact every Linux boot loader signed in the past decade.
Possible Attack Scenarios
Attackers can conduct a Man-in-the-Middle (MiTM) attack, intercepting HTTP traffic between victims and servers during HTTP boot file serving, as highlighted by researchers. This exploit can occur from any network segment between the victim and the legitimate server.
In another tactic, attackers with privileges can manipulate EFI Variables or the EFI partition using a live Linux USB stick. By altering the boot order, they can load a remote and vulnerable shim on the system, enabling the privileged code execution from the remote server without disabling Secure Boot.
Furthermore, attackers on the same network can manipulate PXE to chain-load a vulnerable shim bootloader, which could provide privileged access and bypass kernel and OS controls.
The maintainers of shim addressed the critical CVE-2023-40547 vulnerability alongside CVE-2023-40546, CVE-2023-40548, CVE-2023-40549, CVE-2023-40550, and CVE-2023-40551 with the release of shim version 15.8.
Ivanti Discloses Critical XXE Vulnerability, CVE-2024-22024: Urgent Patching Required
Ivanti has disclosed another vulnerability, found during their investigation into issues affecting Ivanti Connect Secure, Ivanti Policy Secure, and ZTA gateways, urging immediate patching from users.
The latest vulnerability, CVE-2024-22024, rated with a CVSS score of 8.3, is an XML External Entity (XXE) vulnerability in the SAML component, impacting Ivanti products’ versions 9.x and 22.x. Successful exploitation can grant attackers access to restricted resources without authentication.
SOCRadar Vulnerability Card for CVE-2024-22024
While Ivanti reports there is no evidence of exploitation, it also emphasizes the need for prompt action to ensure protection.
Despite Ivanti’s advisory, some of the security community claims the new vulnerability (CVE-2024-22024) is exploited, reflecting their concerns on platforms such as X (formerly Twitter) and Mastodon.
The vulnerability is reportedly under active exploitation (X)
Another Twitter user suggests monitoring Ivanti Pulse outgoing connections in DNS, firewall, proxy, and other logs. They have shared Indicators of Compromise (IOCs) to detect compromise. Breached Ivanti Pulse appliances reportedly send DNS queries to the following domains:
- *[.]oastify[.]com – DNS query type A
- *[.]burptest[.]tssrt[.]de – DNS query type A
- 255[.]255[.]255[.]255[.]in-addr[.]arpa – Type PTR
Last week, two other vulnerabilities were found, with one identified as CVE-2024-21893 being exploited in attacks on Ivanti customers, including government agencies globally. The vulnerabilities prompted CISA to direct all U.S. federal civilian agencies to disconnect Ivanti Connect Secure and Policy Secure products within 48 hours.
For more details, refer to our blog post: Vulnerability in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA Exploited (CVE-2024-21888, CVE-2024-21893)
The post RCEs in FortiOS SSL VPN, ‘shim’; Latest Ivanti Flaw Possibly Exploited (CVE-2024-21762, CVE-2023-40547, CVE-2024-22024) appeared first on SOCRadar® Cyber Intelligence Inc..