October 9, 2024 at 06:11PM
CISA announced that attackers are exploiting a critical FortiOS remote code execution vulnerability (CVE-2024-23113), allowing unauthenticated access to unpatched devices. U.S. federal agencies must secure their FortiOS devices within three weeks. Fortinet recommends removing access to the vulnerable fgfmd daemon as a mitigation measure.
### Meeting Takeaways:
1. **Critical Vulnerability Alert**: CISA has disclosed that there is active exploitation of a critical remote code execution (RCE) vulnerability in FortiOS, identified as CVE-2024-23113.
2. **Nature of the Vulnerability**:
– The vulnerability arises from the fgfmd daemon, which improperly handles format strings, allowing unauthenticated attackers to execute arbitrary code on unpatched devices.
– This flaw affects FortiOS versions 7.0 and later, along with FortiPAM 1.0+, FortiProxy 7.0+, and FortiWeb 7.4.
3. **Mitigation Recommendations**:
– Fortinet initially advised administrators to restrict access to the fgfmd daemon on all interfaces as a mitigation strategy, although this would limit some functionalities like FortiGate discovery from FortiManager.
– Implementing local-in policies that restrict FGFM connections to specific IPs may reduce the attack surface but does not eliminate the threat.
4. **Federal Response**:
– U.S. federal agencies are mandated to patch their FortiOS devices within three weeks (by October 30) due to ongoing exploitations, as per the binding operational directive BOD 22-01.
– CISA emphasizes the frequency of such vulnerabilities as significant risks to federal cybersecurity.
5. **Historical Context**:
– The vulnerability follows a similar incident involving Chinese hackers exploiting another critical FortiOS vulnerability (CVE-2022-42475) from 2022 to 2023, which affected at least 20,000 network security appliances.
### Action Items:
– Ensure that all relevant FortiOS devices are updated with the latest patches as per the federal directive.
– Review existing access controls and local-in policies to enhance security against potential exploitation.