Fortra’s Alert Logic is actively researching an out-of-bounds write vulnerability in FortiOS. This vulnerability, CVE-2024-21762, may allow an unauthenticated remote attacker to execute arbitrary code or command via specially crafted HTTP requests. Customers are recommended to upgrade to a fixed version of FortiOS as soon as possible.
Who is affected?
The following version of FortiOS are vulnerable to CVE-2024-21762:
- FortiOS 7.4.0 through 7.4.2
- FortiOS 7.2.0 through 7.2.6
- FortiOS 7.0.0 through 7.0.13
- FortiOS 6.4.0 through 6.4.14
- FortiOS 6.2.0 through 6.2.15
- All versions of FortiOS 6.0
What can I do?
Customers are recommended to upgrade to one of the following fixed versions of FortiOS, based on their current version of FortiOS.
- For FortiOS 7.4, upgrade to 7.4.3 or above.
- For FortiOS 7.2, upgrade to 7.2.7 or above.
- For FortiOS 7.0, upgrade to 7.0.14 or above.
- For FortiOS 6.4, upgrade to 6.4.15 or above.
- For FortiOS 6.2, upgrade to 6.2.16 or above.
- For FortiOS 6.0, migrate to one of the listed fixed versions.
If you are not able to upgrade immediately, the suggested workaround is to disable SSL VPN.
How is Alert Logic helping me?
Alert Logic is actively researching this threat to build detection capabilities in addition to those listed below.
Vulnerability Scanning: Alert Logic released unauthenticated scan coverage on February 10, 2024. If the vulnerability is found, an exposure (EID: 253812) will be raised for CVE-2024-21762.
Updates
Alert Logic has kicked off the Emerging Threat process for this vulnerability. This article will be updated with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click FOLLOW at the top of this article. You must be signed into the Support Center using your Alert Logic product credentials to follow this article.
Comments
0 comments
Please sign in to leave a comment.