Ivanti: CVE-2024-22024 – Authentication Bypass Vulnerability
Ivanti has recently disclosed a high-severity security flaw, tracked as CVE-2024-22024, affecting its Connect Secure, Policy Secure, and ZTA gateway devices. This vulnerability, rated 8.3 out of 10 on the CVSS scoring system, enables attackers to bypass authentication through an XML external entity (XXE) weakness in the SAML component of the affected products. The flaw was discovered during an internal review as part of an ongoing investigation into multiple security weaknesses in the products.
The impacted Ivanti product versions include:
- Ivanti Connect Secure (9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, and 22.5R1.1)
- Ivanti Policy Secure (version 22.5R1.1)
- ZTA (version 22.6R1.3)
Ivanti has released patches for the vulnerability in various product versions. Users are urged to update to the latest patched versions immediately. While there is currently no evidence of active exploitation, given the history of abuse for other vulnerabilities (CVE-2023-46805, CVE-2024-21887, CVE-2024-21893), prompt application of the patches is crucial to ensure security.
Fortinet: CVE-2024-21762 – Critical Vulnerability in FortiOS SSL VPN
Fortinet has disclosed a critical security flaw, CVE-2024-21762, impacting FortiOS SSL VPN, with a CVSS score of 9.6. This vulnerability allows for the unauthenticated execution of arbitrary code and commands through an out-of-bounds write weakness in FortiOS. The company acknowledges the potential exploitation of this vulnerability in the wild.
The affected FortiOS versions include:
- FortiOS 7.4 (versions 7.4.0 through 7.4.2)
- FortiOS 7.2 (versions 7.2.0 through 7.2.6)
- FortiOS 7.0 (versions 7.0.0 through 7.0.13)
- FortiOS 6.4 (versions 6.4.0 through 6.4.14)
- FortiOS 6.2 (versions 6.2.0 through 6.2.15)
- FortiOS 6.0 (all versions)
Fortinet recommends users and administrators of the affected product versions to update to the latest versions immediately to mitigate the risk of remote code execution. If not able to update, a workaround, it is also advised to disable SSL VPN (disable webmode is NOT a valid workaround).
Fortinet: CVE-2024-23113 – Critical Vulnerability in FortiOS – Format String Bug in fgfmd
Fortinet has disclosed another critical security flaw, CVE-2024-23113, impacting FortiOS fgfmd daemon, with a CVSS score of 9.8. It is an externally-controlled format string vulnerability that allows a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.
The affected FortiOS versions include:
- FortiOS 7.4 (versions 7.4.0 through 7.4.2) – Upgrade to 7.4.3 or above
- FortiOS 7.2 (versions 7.2.0 through 7.2.6) – Upgrade to 7.2.7 or above
- FortiOS 7.0 (versions 7.0.0 through 7.0.13) – Upgrade to 7.0.14 or above
Fortinet recommends users and administrators of the affected product versions to update to the latest versions immediately to mitigate the risk of remote code execution.
References
- https://thehackernews.com/2024/02/fortinet-warns-of-critical-fortios-ssl.html
- https://fortiguard.fortinet.com/psirt/FG-IR-24-015
- https://www.csa.gov.sg/alerts-advisories/alerts/2024/al-2024-016
- https://thehackernews.com/2024/02/fortinet-warns-of-critical-fortios-ssl.html
- https://www.bleepingcomputer.com/news/security/ivanti-patch-new-connect-secure-auth-bypass-bug-immediately/
- https://forums.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US
- https://www.bleepingcomputer.com/news/security/new-fortinet-rce-flaw-in-ssl-vpn-likely-exploited-in-attacks/
- https://www.fortiguard.com/psirt/FG-IR-24-029
