Fortinet and Ivanti VPN customers seem unable to catch a break from having to constantly respond to major security vulnerabilities in their respective vendors’ technologies.
On Thursday, February 8, both vendors revealed critical flaws in their product line that require timely intervention from security teams, who are already addressing recently patched existing bugs that are under active exploitation in the wild.
Actively exploited bug among 4 new Fortinet flaws
Fortinet revealed a critical out-of-bounds vulnerability in its FortiOS SSL VPN technology which, according to the vendor, is likely already exploited in the wild. The vulnerability, identified as CVE-2024-21762allows unauthenticated attacker to execute arbitrary code or commands on affected systems via malicious HTTP requests.
The vulnerability affects multiple versions of FortiOS from FortiOS 6.0 (all versions) to FortiOS 7.4.2. Fortinet gave the vulnerability a CVSS score of 9.6 out of 10.
CVE-2024-21762 is actually one of four flaws that Fortinet revealed on Thursday. The other three are CVE-2024-23113a bug related to format strings with near-maximum severity (CVSS score 9.8) in multiple versions of FortiOS 7.0, 7.2, and 7.4; CVE-2023-44487a defect of medium severity in FortiOS and FortiProxy; AND CVE-2023-47537another of medium severity revelation of information bugs in FortiOS. According to Fortinet, none of these are under exploitation at the moment, although the situation could change quickly.
The new bug information comes just as many organizations are rushing to apply patches two maximum severity command injection bugs in Fortinet’s FortiSIEM (CVE-2024-23108 AND CVE-2024-23109) which the company announced at the beginning of February. Fortinet disclosed the two bugs as an update to a vulnerability advisory published last year (CVE-2023-34992), leaving many confused about the connection between the three flaws. According to at least one security firm, the two new vulnerabilities announced by Fortinet this month actually are direct bypasses of last year’s CVE-2023-34992.
For context, Fortinet VPNs are a favorite target of attackers, especially those from nation-states. One of them is Volt Typhoon, the China-backed actor that the U.S. government recently warned is targeting critical U.S. infrastructure. According to FortinetThe threat actor exploited two flaws in its products, one of which dates back to 2022 (CVE-2022-42475) and the other from 2023 (CVE-2023-27997) — in his campaign.
Furthermore, just last week, the Dutch Military Intelligence and Security Service (MIVD) warned against Chinese actors using CVE 2022 to releases a Coat Hanger nicknamed RAT across multiple FortiGate devices.
And, in a blog last week, Sustainable listed numerous other vulnerabilities in Fortinet products that ransomware authors and persistent threat groups from Iran and Russia have exploited in recent years.
Ivanti finds another bug in Connect Secure and Pulse Secure
Meanwhile, Ivanti has given its customers additional cause for business – and concern – by disclosing a critical vulnerability (CVE-2024-22024) and releasing a related patch, in the oft-targeted Ivanti Connect Secure and Ivanti Pulse Secure technologies.
The company described the defect (CVSS score 8.3) as an XML External Entity (XXE) issue that allows an unauthenticated attacker to access certain restricted resources on affected systems. He urged customers to address the issue immediately even though there is no evidence that attackers are actively attacking the bug.
Ivanti initially attributed the discovery of the bug to internal researchers. However, after being based in Singapore watchTowr posted a blog describing how he discovered and reported the bug to Ivanti, along with screenshots of their communications, Ivanti backtracked on his original request.
“We initially flagged the code in question during our internal review,” a spokesperson says. “Shortly thereafter, watchTowr contacted us through our responsible disclosure program regarding CVE-2024-22024, which we should have acknowledged.”
The spokesperson thanked watchTowr for its assistance and says Ivanti has updated its blog to reflect this. The spokesperson, however, rejects the claims of some security researchers attackers who actively exploit the bug already, and says Ivanti has so far seen no evidence to support that claim.
As with Fortinet customers, Ivanti’s disclosure comes just as many of its customers are busy dealing with a pair of zero-day vulnerabilities that the company disclosed just a few weeks ago and threat groups have come under attack. attacking with remarkable ferocity recently. Ivanti began rolling out patches for the flaws in a phased manner in late January, weeks after the bugs came to light, and the delay in patch availability spurred mass exploitation attempts.
Customers who have patched for the previous two zero days (CVE-2024-21887 and CVE-2023-46805) and reset your devices you don’t need to reset them again after applying the patch for the new flaw, Ivanti said. Alternatively, customers who have not patched against zero-days can patch the new bug and be protected against the previous two bugs as well, the company noted.