Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet’s FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in the wild.

This format string flaw vulnerability has raised significant concerns due to its potential for remote code execution.

The flaw allows attackers to control format strings, leading to unauthorized access and manipulation of network border appliances without requiring credentials or asset lists.

Gwendal Guégniaud of the Fortinet Product Security team discovered the vulnerability before patching it, affecting all currently maintained FortiGate branches.

The Cybersecurity and Infrastructure Security Agency (CISA) has highlighted the active exploitation of this vulnerability, emphasizing the urgent need for organizations to update their systems.

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free

Technical Details and Exploitation

According to the Labs report, the format string vulnerability arises when a developer allows an attacker to control a ‘format string.’

In a typical scenario, a function like printf is misused:

void doStuff(char* stuffToDo)
{
    printf(stuffToDo);
}

In this case, if an attacker passes a string containing format specifiers like %s, it can lead to remote code execution.

The FortiGate vulnerability exploits this flaw within the FGFM (FortiGate to FortiManager) protocol, centralizing FortiGate devices.

Researchers found they could exploit this vulnerability by manipulating FGFM messages over an SSL connection on TCP port 541.

The protocol uses ASCII-based newline-delimited formats with key/value pairs, making it susceptible to this attack.

Impact and Mitigation

The vulnerability affects multiple versions of FortiGate firmware, including branches 7.0, 7.2, and 7.4. Each branch exhibits different behaviors when exploited:

• Version 7.0: Accepts self-signed certificates in unpatched versions but requires certificates signed by a configured CA after patching.
• Version 7.2: Similar behavior as version 7.0 regarding certificate acceptance.
• Version 7.4: Requires certificates signed by a configured CA even in unpatched versions, complicating exploitation.

Fortinet advises administrators to prevent access to the FGFM service as a mitigation step and strongly recommends updating to the latest firmware versions.

This update addresses the format string vulnerability by ensuring that format strings are not attacker-controlled.

Detection and Testing

To detect vulnerable systems, researchers developed a Python script that tests for the presence of this vulnerability by sending specific payloads over the FGFM protocol.

The script checks whether a device aborts the connection upon receiving a %n payload, indicating vulnerability:

with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
    sock.connect((hostname, 541))
    with context.wrap_socket(sock, server_side=True) as ssock:
        # Send payload
        payload = b"reply 200\r\nrequest=auth\r\nauthip=%n\r\n\r\n\x00"
        packet = b''
        packet += 0x0001e034.to_bytes(4, 'little')
        packet += (len(payload) + 8).to_bytes(4, 'big')
        packet += payload
        ssock.send(packet)

This method effectively identifies vulnerable instances without causing system crashes.

The discovery of CVE-2024-23113 highlights the ongoing challenges in securing network appliances against sophisticated attacks.

Organizations using FortiGate devices should prioritize patching their systems to mitigate this critical vulnerability.

While updating is always recommended, understanding the risks associated with each firmware version can help administrators make informed decisions about their security posture.

Fortinet’s advice remains clear: update all affected systems promptly to ensure protection against potential exploitation.

How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)