Analysis Summary

On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability affecting Fortinet products to its list of known exploited vulnerabilities (KEV) after discovering evidence of ongoing exploitation.

The vulnerability affects FortiOS, FortiPAM, FortiProxy, and FortiWeb and is listed as CVE-2024-23113 (CVSS score: 9.8). It is related to incidents of remote code execution. By using a specially constructed request, an externally controlled format string vulnerability [CWE-134] in the FortiOS fgfmd daemon could enable a remote, unauthenticated attacker to run any code or commands.

As usual, there are few specifics in the warning about how the vulnerability is being used in the wild, who is using it as a weapon, and against whom. Federal Civilian Executive Branch (FCEB) agencies are required to implement the vendor-provided mitigations by October 30, 2024, to maximize protection, given the current state of exploitation.

This development coincides with Palo Alto Networks' disclosure of many flaws in Expedition, which might enable an attacker to write arbitrary files to system temporary storage locations and read database information. These contain data from PAN-OS firewalls, including usernames, cleartext passwords, device configurations, and device API keys. The following is a list of vulnerabilities that impact all versions of Expedition older than 1.2.96:

• CVE-2024-9463 - A command injection vulnerability in the operating system (OS) lets an unauthorized attacker execute any OS command as root.
• CVE-2024-9464 - An OS command injection vulnerability enabling a legitimate attacker to execute any OS command as root.
• CVE-2024-9465 - A SQL injection flaw that makes the contents of the Expedition database accessible to an unauthorized attacker.
• CVE-2024-9466 - A vulnerability in the cleartext storing of sensitive data that lets an authorized attacker see firewall identities, passwords, and API keys created with those credentials.
• CVE-2024-9467 - A reflected cross-site scripting (XSS) vulnerability that allows malicious JavaScript to be executed in the context of an authenticated Expedition user's browser if the user clicks on a malicious link. This vulnerability makes phishing attacks possible and raises the possibility of theft of an Expedition user's browser session.

Although the methods to reproduce the vulnerability are currently available to the public, there is no proof that the flaws have ever been exploited in the wild. Approximately 23 Expedition servers are online, with the majority of them being in Australia, Belgium, Germany, the Netherlands, and the United States. Limiting access to hosts, networks, or authorized users is advised as a mitigating measure, as is shutting down the program while not in use.

Cisco also published updates last week to address a critical command execution vulnerability in the Nexus Dashboard Fabric Controller (NDFC), which was caused by inadequate command argument validation and incorrect user authorization. It is known as CVE-2024-20432 (CVSS score: 9.9) and may allow a remote, low-privileged, authenticated attacker to launch a command injection attack against a compromised device. The 12.2.2 version of NDFC has fixed the bug. It's important to note that versions 11.5 and lower are immune.

Through the web UI or by sending specially constructed commands to a REST API endpoint that is vulnerable, an attacker could take advantage of this issue. If the exploit is successful, the attacker might be able to use network administrator privileges to execute any commands on the CLI of a Cisco NDFC-managed device.

Impact

• Code Execution
• File Manipulation
• Exposure of Sensitive Data
• Unauthorized Access

Indicators of Compromise

CVE

• CVE-2024-23113
• CVE-2024-9463
• CVE-2024-9464
• CVE-2024-9465
• CVE-2024-9466
• CVE-2024-9467
• CVE-2024-20432

Remediation

• Refer to FortiGuard Advisory for patch, upgrade, or suggested workaround information.
• Refer to Palo Alto Networks Security Advisory for patch, upgrade, or suggested workaround information.
• Refer to Cisco Security Advisory for patch, upgrade, or suggested workaround information.
• Organizations must test their assets for the vulnerabilities mentioned above and apply the available security patch or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations must stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.