Fortinet, Ivanti Keep Customers Busy With Yet More Critical Bugs

  /     /     /  
Publicated : 23/11/2024   Category : security


Fortinet, Ivanti Keep Customers Busy With Yet More Critical Bugs


Brand-new vulnerabilities from both vendors this week — one exploited in the wild — add to a steady stream of critical security issues in the security platforms.



UPDATE
Fortinet and Ivantis VPN customers appear unable to catch any sort of a break from having to constantly respond to major security vulnerabilities in the respective vendors technologies.
On Thursday, Feb. 8, both vendors disclosed critical flaws in their products line — both under attack — that require prompt action from security teams, who are already dealing with existing recently patched bugs that are under active exploit in the wild.
Fortinet
disclosed a critical out-of-bounds vulnerability
in its FortiOS SSL VPN technology that the vendor warned is likely already being exploited in the wild. The vulnerability, identified as
CVE-2024-21762
, allows an unauthenticated attacker to execute arbitrary code or commands on affected systems via maliciously crafted HTTP requests.
The vulnerability affects multiple versions of FortiOS from FortiOS 6.0 (all versions) to FortiOS 7.4.2. Fortinet has assigned the vulnerability a CVSS score of 9.6 on 10.
CVE-2024-21762 is actually one of four flaws that Fortinet disclosed on Thursday. The other three are
CVE-2024-23113
, a near-maximum-severity (CVSS score 9.8) format string bug in multiple versions of FortiOS 7.0, 7.2 and 7.4;
CVE-2023-44487
, a medium-severity flaw in
FortiOS and FortiProxy
; and
CVE-2023-47537
, another medium-severity
information disclosure
bug in FortiOS. None of these are under exploit at the moment, according to Fortinet — though that could quickly change.
The new bug disclosures come even as many organizations are rushing to patch
two maximum-severity command injection bugs
in Fortinets FortiSIEM (
CVE-2024-23108
and
CVE-2024-23109
) that the company disclosed earlier in February. Fortinet disclosed the two bugs as an update to a vulnerability advisory it published last year (
CVE-2023-34992
), leaving many confused as to the connection between the three flaws. According to at least one security firm, the two new vulnerabilities that Fortinet announced this month are actually
direct bypasses of last years CVE-2023-34992
.
By way of context, Fortinet VPNS are a favorite target for attackers, especially of the nation-state variety. One of them is Volt Typhoon, the China-backed actor that the US government recently warned is targeting US critical infrastructure.
According to Fortinet
, the threat actor has been exploiting two flaws in its products — one from 2022 (
CVE-2022-42475
) and the other from 2023 (
CVE-2023-27997
) — in its campaign.
Also, just last week, the Netherlands Military Intelligence and Security Service (MIVD) warned of Chinese actors using the 2022 CVE to
drop a RAT dubbed Coathanger
on multiple FortiGate devices.
And, in a blog last week,
Tenable
listed multiple other vulnerabilities in Fortinet products that ransomware actors and persistent threat groups from Iran and Russia have exploited in recent years.
Ivanti in the meantime gave its customers further cause for work — and concern — by disclosing a critical vulnerability (CVE-2024-22024), and releasing a patch for it, in its frequently targeted Ivanti Connect Secure and Ivanti Pulse Secure technologies.
The company
described the flaw
(CVSS score 8.3) as an XML external entity (XXE) issue that allows an unauthenticated attacker access to certain restricted resources on affected systems.
It urged customers to immediately address the issue even though there is no evidence that attackers are actively attacking the bug -- however, according to the Shadow Server Foundation, that changed a day later, on Friday.
More Ivanti exploitation, this time the new CVE-2024-22024 RCE, it said in an
alert on Ivanti in-the-wild exploitation
. We started seeing exploitation attempts to /dana-na/auth/saml-sso.cgi Feb 9th, around 8 UTC, shortly after [proof-of-concept] publication. These are primarily callback tests. 47 IPs seen to date attacking.
Initially, Ivanti attributed the bugs discovery to internal researchers. However, after Singapore-based
watchTowr published a blog
describing how it had discovered and reported the bug to Ivanti — along with screen shots of their communications — Ivanti backed down from its original claim.
We initially flagged the code in question during our internal review, a spokesman says. Shortly after, watchTowr contacted us through our responsible disclosure program regarding CVE-2024-22024, which we should have acknowledged.
The spokesman thanked watchTowr for its assistance and says Ivanti has updated its blog to reflect that fact. The spokesman however rejects claims by some security researchers about
attackers actively exploiting
the bug already, and says Ivanti has so far seen no evidence to support that claim.
As with Fortinets customers, Ivantis disclosure comes even as many of its customers have their hands full dealing with a couple of zero-day vulnerabilities that the company disclosed just weeks ago that threat groups have been
attacking with considerable ferocity
recently. Ivanti began rolling out patches for the flaws in a phased manner in late January, weeks after the bugs came to light, and the lag in patch availability spurred mass exploitation attempts.
Customers who applied the patches for the two previous zero days (
CVE-2024-21887 and CVE-2023-46805
) and reset their devices do not need to reset their devices again after applying the patch for the new flaw, Ivanti said. Alternatively, customers who have not patched against the zero-days can apply the patch for the new bug and also be protected against the previous two, the company noted.
This story was updated on Monday Feb. 12 at Noon ET to include Shadowservers alert on in-the-wild exploitation of the new Ivanti bug.

Last News

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Fortinet, Ivanti Keep Customers Busy With Yet More Critical Bugs