CISA Warns on Fortinet Vulnerability Amid Security Patches from Palo Alto and Cisco

fortinet

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a significant security vulnerability affecting Fortinet products to its Known Exploited Vulnerabilities (KEV) catalog. This warning comes as evidence surfaces indicating active exploitation of the flaw, tracked as CVE-2024-23113, which boasts a high CVSS score of 9.8. This vulnerability pertains to remote code execution issues across multiple Fortinet products, including FortiOS, FortiPAM, FortiProxy, and FortiWeb.

Understanding the Fortinet Vulnerability

The vulnerability arises from a use of externally-controlled format string vulnerability (CWE-134) in the FortiOS fgfmd daemon. As noted in Fortinet’s advisory, this flaw could potentially allow a remote unauthenticated attacker to execute arbitrary code or commands through specially crafted requests. The advisory was initially issued back in February 2024, but with the recent evidence of exploitation, the urgency for remediation has escalated.

CISA mandates that Federal Civilian Executive Branch (FCEB) agencies apply the vendor-provided mitigations by October 30, 2024. This deadline is crucial for ensuring optimal protection against this severe security threat.

Recent Vulnerabilities in Palo Alto Networks’ Expedition

The situation is further complicated as Palo Alto Networks recently disclosed several critical vulnerabilities in its Expedition tool. These flaws could enable attackers to read sensitive database contents and arbitrary files, posing serious risks to the security of PAN-OS firewalls. The vulnerabilities highlighted by Palo Alto Networks include:

  • CVE-2024-9463 (CVSS score: 9.9): An OS command injection vulnerability that allows unauthenticated attackers to execute arbitrary OS commands as root.
  • CVE-2024-9464 (CVSS score: 9.3): An OS command injection vulnerability enabling authenticated attackers to execute arbitrary OS commands as root.
  • CVE-2024-9465 (CVSS score: 9.2): An SQL injection vulnerability that permits unauthenticated attackers to expose Expedition database contents.
  • CVE-2024-9466 (CVSS score: 8.2): A vulnerability that allows authenticated attackers to reveal sensitive information like firewall usernames and passwords stored in cleartext.
  • CVE-2024-9467 (CVSS score: 7.0): A reflected cross-site scripting (XSS) vulnerability that can lead to session theft if an authenticated user clicks on a malicious link.

These vulnerabilities primarily affect all versions of Expedition prior to 1.2.96. The company has credited Zach Hanley from Horizon3.ai for identifying some of these vulnerabilities, highlighting the importance of collaboration in cybersecurity.

Despite the seriousness of these flaws, there is currently no evidence to suggest they have been exploited in the wild. However, detailed steps to reproduce the problems are available publicly, raising concerns about potential future exploitation.

cisa

Recommendations for Mitigation

For organizations utilizing Fortinet or Palo Alto Networks products, it is essential to implement recommended mitigations immediately. Here are some key steps to enhance your cybersecurity posture:

  1. Update Software: Ensure that all affected systems are updated to the latest versions provided by the vendors.

  2. Limit Access: Restrict access to authorized users, hosts, or networks. This includes minimizing exposure of Expedition servers, particularly those located in the U.S., Belgium, Germany, the Netherlands, and Australia.

  3. Monitor Systems: Implement robust monitoring solutions to detect any suspicious activities that may indicate exploitation attempts.

  4. Conduct Regular Security Audits: Regularly review and audit your security policies and configurations to ensure compliance with best practices.

Cisco Addresses Command Execution Flaw

In addition to Fortinet and Palo Alto Networks, Cisco has also released urgent patches for a critical command execution flaw in its Nexus Dashboard Fabric Controller (NDFC). This vulnerability, tracked as CVE-2024-20432 with a CVSS score of 9.9, stems from improper user authorization and insufficient validation of command arguments.

An attacker could exploit this vulnerability by submitting crafted commands to affected REST API endpoints or through the web UI. A successful exploit could allow them to execute arbitrary commands with network-admin privileges on a Cisco NDFC-managed device. Cisco has addressed this flaw in NDFC version 12.2.2, noting that earlier versions (11.5 and prior) are not susceptible.

Conclusion

With the evolving landscape of cybersecurity threats, it is crucial for organizations to remain vigilant and proactive in addressing vulnerabilities. The warnings from CISA regarding Fortinet, the vulnerabilities disclosed by Palo Alto Networks, and Cisco’s prompt action highlight the urgent need for effective security measures. By staying informed and implementing recommended practices, organizations can better safeguard their systems against potential threats.

Follow us on x twitter (Twitter) for real time updates and exclusive content.

Scroll to Top