Home > Security Bulletins > FortiOS Out-of-Bounds Write in SSL VPN – CVE-2024-21762

FortiOS Out-of-Bounds Write in SSL VPN – CVE-2024-21762

Tuesday 9th February 2024

Introduction

Last night Fortinet published a PSIRT bulletin regarding an out-of-bounds write vulnerability in FortiOS. CVE-2024-21762 (CVSS v3.1: 9.6 [Critical]) may allow a remote unauthenticated attacker to execute arbitrary code in sslvpnd via specially crafted HTTP requests.

Fortinet’s bulletin states that this vulnerability is potentially being exploited in the wild.

Also published yesterday is CVE-2024-23113 (CVSS v3.1: 9.8 [Critical]) which is a vulnerability in fgfmd (FortiGate to FortiManager Protocol) that may allow remote unauthenticated attackers to execute arbitrary code via specially crafted requests. This one is not know to being actively exploited however.

Spotit’s advice is for all users to upgrade affected versions of FortiOS as soon as possible.

Affected Versions

The following versions are affected by CVE-2024-21762:

FortiOS 7.6 Not affected Not Applicable
FortiOS 7.4 7.4.0 through 7.4.2 Upgrade to 7.4.3 or above
FortiOS 7.2 7.2.0 through 7.2.6 Upgrade to 7.2.7 or above
FortiOS 7.0 7.0.0 through 7.0.13 Upgrade to 7.0.14 or above
FortiOS 6.4 6.4.0 through 6.4.14 Upgrade to 6.4.15 or above
FortiOS 6.2 6.2.0 through 6.2.15 Upgrade to 6.2.16 or above
FortiOS 6.0 6.0 all versions Migrate to a fixed release

The following versions are affected by CVE-2024-23113:

FortiOS 7.4 7.4.0 through 7.4.2 Upgrade to 7.4.3 or above
FortiOS 7.2 7.2.0 through 7.2.6 Upgrade to 7.2.7 or above
FortiOS 7.0 7.0.0 through 7.0.13 Upgrade to 7.0.14 or above