Fortinet, Ivanti Keep Customers Busy With Yet More Critical Bugs

UPDATE

Fortinet and Ivanti's VPN customers appear unable to catch any sort of a break from having to constantly respond to major security vulnerabilities in the respective vendors' technologies.

On Thursday, Feb. 8, both vendors disclosed critical flaws in their products line — both under attack — that require prompt action from security teams, who are already dealing with existing recently patched bugs that are under active exploit in the wild.

Actively Exploited Bug Among 4 New Fortinet Flaws

Fortinet disclosed a critical out-of-bounds vulnerability in its FortiOS SSL VPN technology that the vendor warned is likely already being exploited in the wild. The vulnerability, identified as CVE-2024-21762, allows an unauthenticated attacker to execute arbitrary code or commands on affected systems via maliciously crafted HTTP requests.

The vulnerability affects multiple versions of FortiOS from FortiOS 6.0 (all versions) to FortiOS 7.4.2. Fortinet has assigned the vulnerability a CVSS score of 9.6 on 10.

CVE-2024-21762 is actually one of four flaws that Fortinet disclosed on Thursday. The other three are CVE-2024-23113, a near-maximum-severity (CVSS score 9.8) format string bug in multiple versions of FortiOS 7.0, 7.2 and 7.4; CVE-2023-44487, a medium-severity flaw in FortiOS and FortiProxy; and CVE-2023-47537, another medium-severity information disclosure bug in FortiOS. None of these are under exploit at the moment, according to Fortinet — though that could quickly change.

The new bug disclosures come even as many organizations are rushing to patch two maximum-severity command injection bugs in Fortinet's FortiSIEM (CVE-2024-23108 and CVE-2024-23109) that the company disclosed earlier in February. Fortinet disclosed the two bugs as an update to a vulnerability advisory it published last year (CVE-2023-34992), leaving many confused as to the connection between the three flaws. According to at least one security firm, the two new vulnerabilities that Fortinet announced this month are actually direct bypasses of last year's CVE-2023-34992.

By way of context, Fortinet VPNS are a favorite target for attackers, especially of the nation-state variety. One of them is Volt Typhoon, the China-backed actor that the US government recently warned is targeting US critical infrastructure. According to Fortinet, the threat actor has been exploiting two flaws in its products — one from 2022 (CVE-2022-42475) and the other from 2023 (CVE-2023-27997) — in its campaign.

Also, just last week, the Netherlands Military Intelligence and Security Service (MIVD) warned of Chinese actors using the 2022 CVE to drop a RAT dubbed Coathanger on multiple FortiGate devices.

And, in a blog last week, Tenable listed multiple other vulnerabilities in Fortinet products that ransomware actors and persistent threat groups from Iran and Russia have exploited in recent years.

Ivanti Sees Yet Another Bug in Connect Secure, Pulse Secure

Ivanti in the meantime gave its customers further cause for work — and concern — by disclosing a critical vulnerability (CVE-2024-22024), and releasing a patch for it, in its frequently targeted Ivanti Connect Secure and Ivanti Pulse Secure technologies.

The company described the flaw (CVSS score 8.3) as an XML external entity (XXE) issue that allows an unauthenticated attacker access to certain restricted resources on affected systems.

It urged customers to immediately address the issue even though there is no evidence that attackers are actively attacking the bug -- however, according to the Shadow Server Foundation, that changed a day later, on Friday.

"More Ivanti exploitation, this time the new CVE-2024-22024 RCE," it said in an alert on Ivanti in-the-wild exploitation. "We started seeing exploitation attempts to '/dana-na/auth/saml-sso.cgi' Feb 9th, around 8 UTC, shortly after [proof-of-concept] publication. These are primarily callback tests. 47 IPs seen to date attacking."

Initially, Ivanti attributed the bug's discovery to internal researchers. However, after Singapore-based watchTowr published a blog describing how it had discovered and reported the bug to Ivanti — along with screen shots of their communications — Ivanti backed down from its original claim.

"We initially flagged the code in question during our internal review," a spokesman says. "Shortly after, watchTowr contacted us through our responsible disclosure program regarding CVE-2024-22024, which we should have acknowledged."

The spokesman thanked watchTowr for its assistance and says Ivanti has updated its blog to reflect that fact. The spokesman however rejects claims by some security researchers about attackers actively exploiting the bug already, and says Ivanti has so far seen no evidence to support that claim.

As with Fortinet's customers, Ivanti's disclosure comes even as many of its customers have their hands full dealing with a couple of zero-day vulnerabilities that the company disclosed just weeks ago that threat groups have been attacking with considerable ferocity recently. Ivanti began rolling out patches for the flaws in a phased manner in late January, weeks after the bugs came to light, and the lag in patch availability spurred mass exploitation attempts.

Customers who applied the patches for the two previous zero days (CVE-2024-21887 and CVE-2023-46805) and reset their devices do not need to reset their devices again after applying the patch for the new flaw, Ivanti said. Alternatively, customers who have not patched against the zero-days can apply the patch for the new bug and also be protected against the previous two, the company noted.

This story was updated on Monday Feb. 12 at Noon ET to include Shadowserver's alert on in-the-wild exploitation of the new Ivanti bug.