Φiriki Intelligence Blog Shadowserver: 86,000+ Fortinet Instances are Still Vulnerable to Known Format String Flaw

Shadowserver: 86,000+ Fortinet Instances are Still Vulnerable to Known Format String Flaw

According to data gathered by Shadowserver, more than 86,000 Fortinet instances remain vulnerable to a known format string flaw in FortiOS fgfmd daemon. The critical vulnerability (CVE-2024-23113) was disclosed in February 2024, more than eight months ago. The majority of unpatched instances (38,778) are in Asia, followed by North America (21,262) and Europe (16,381). The US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to their Known Exploited Vulnerabilities (KEV) catalog last week; Federal Civilian Executive Branch (FCEB) agencies have until October 30 to mitigate the issue

Editor’s Note

86,000. This isn’t a firewall manufacturer’s problem right now. This is a problem on the general internet, where ‘critical’ security devices that are meant to keep customers safe have been unpatched for a lengthy amount of time. This reminds me of how we ‘solved’ errors-based SQL injection. It was basically Lulzsec going around and ‘owning’ everyone because it was for the ÒLULZ.Ó It only takes one very motivated group to take this from ‘we didn’t patch our firewalls all that often’ to ‘a group has owned us because they thought it was funny.’ Regardless of who makes the product, this is the equivalent of having unpatched Windows on the internet and hoping no one takes over your device.

Moses Frost

CVE-2024-23113, externally controlled format string vulnerability, CVSS score 9.8, can be used to allow a remote attacker to execute arbitrary commands. The flaw was discovered in February, but apparently attackers were busy going after other Fortinet flaws and are now actively exploiting the flaw. The fix is to update your installation of FortiWeb, FortiProxy, FortiPAM or FortiOS to the latest version. You can mitigate the flaw by disabling fgfm access to portX, which prevents FortiGate discovery from FortiManager, but even so this workaround isn’t a complete fix.

Lee Neely

This format string vulnerability isn’t all that straightforward to exploit. Exploitation may be blocked if the Fortinet SSLVPN verified the certificate authority of the certificate used by the client, something the patch enforces. Refer to the Watchtowr writeup to understand the impact. Fortinet’s bulletin is a bit short on the details. labs.watchtowr.com/fortinet-fortigate-cve-2024-23113-a-super-complex-vulnerability-in-a-super-secure-appliance-in-2024/: Fortinet FortiGate CVE-2024-23113 – A Super Complex Vulnerability In A Super Secure Appliance In 2024.

Johannes Ullrich