Fortinet’s Product Security Incident Response Team (PSIRT) announced the resolution of several critical and high-severity security vulnerabilities affecting various Fortinet products, including FortiSandbox and FortiOS.
These updates are part of Fortinet’s ongoing efforts to enhance the security and reliability of its solutions, ensuring a robust defense against potential threats.
Summary of Resolved Issues
A total of eight advisories were released, addressing vulnerabilities that range from incorrect authorization and format string weaknesses to OS command injection and authentication bypass issues.
Here are the details of the advisories:
| CVE | Description | Affected Products | Severity |
| CVE-2024-45324 | Incorrect authorization in GUI console: Allows low-privileged users unauthorized access. | FortiSandbox 4.4.6, 4.4.5, 4.4.4, 4.4.3, 4.4.2 … | High |
| CVE-2024-45324 | Multiple format string vulnerabilities: Allow control over format string input. | FortiOS 7.4.4, 7.4.3, 7.4.2, 7.4.1, 7.4.0 … FortiProxy 7.6.0, 7.4.6, 7.4.5, 7.4.4, 7.4.3 … FortiSRA 1.4.2, 1.4.1, 1.4.0 FortiWeb 7.6.0, 7.4.5, 7.4.4, 7.4.3, 7.4.2 … | High |
| CVE-2024-54027 | OS command injection: Improper neutralization of special elements used in OS commands. | FortiSandbox 5.0.0, 4.4.6, 4.4.5, 4.4.4, 4.4.3 … | High |
| CVE-2024-6387 | Use of hardcoded cryptographic key: For remote backup server password encryption. | FortiSandbox 5.0.0, 4.4.6, 4.4.5, 4.4.4, 4.4.3 … | High |
| CVE-2024-55591 | Signal handler race condition in OpenSSH server. | FortiADC 7.4.4, 7.4.3, 7.4.2, 7.4.1, 7.4.0 … FortiAIOps 2.0.1, 2.0.0 FortiAnalyzer 7.4.3, 7.4.2, 7.4.1, 7.4.0, 7.2.5 … FortiWeb 7.6.0, 7.4.4, 7.4.3, 7.4.2, 7.4.1 … | High |
| CVE-2024-40591 | Authentication bypass using an alternate path or channel in Node.js websocket module and CSF requests. | FortiOS 7.0.16, 7.0.15, 7.0.14, 7.0.13, 7.0.12 … FortiProxy 7.2.12, 7.2.11, 7.2.10, 7.2.9, 7.2.8 … | Critical |
| CVE-2024-35279 | Permission escalation due to improper privilege management. | FortiOS 7.6.0, 7.4.4, 7.4.3, 7.4.2, 7.4.1 … | High |
| CVE-2024-35279 | Stack buffer overflow in fabric service. | FortiOS 7.4.4, 7.4.3, 7.4.2, 7.4.1, 7.4.0 … | High |
Users are advised to update their Fortinet products to the latest versions to mitigate these vulnerabilities.
For a recommended upgrade path, Fortinet’s Upgrade Path Tool can be consulted. The company emphasizes the importance of staying vigilant and proactive in addressing security issues to ensure the integrity of its solutions.
Fortinet continues to demonstrate its commitment to security and customer safety by swiftly addressing potential vulnerabilities and providing timely updates.
As cybersecurity threats continue to evolve, maintaining updated software and following best practices are crucial for organizations to protect their networks effectively.
To report any security-related issues to Fortinet’s PSIRT or learn more about Fortinet’s security policies, users can visit the Fortinet PSIRT Policy page.
For further details on how to secure Fortinet products and services, users are encouraged to engage with Fortinet’s security community resources.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
