Summary:
Fortinet recently disclosed a critical vulnerability (FG-IR-24-029) affecting FortiProxy and FortiOS, which could allow an attacker to execute arbitrary code. The vulnerability, identified as CVE-2024-XXXX, exploits improper error handling in the HTTP/2 request headers. This flaw presents a significant risk as it can be used to take control of affected devices without user authentication. Fortinet has released patches to address the vulnerability, and users are urged to update their systems immediately to avoid exploitation.
Risks:
This vulnerability poses a severe threat to organizations using FortiProxy and FortiOS, particularly those in high-security environments. The remote code execution (RCE) aspect allows attackers to fully compromise the system, potentially leading to data breaches, network infiltration, or the installation of malicious software. As this attack can be carried out without authentication, the risk is particularly high for devices exposed to the internet.
Affected Devices:
-
FortiProxy versions: 7.2.0 to 7.2.2
-
FortiOS versions: 7.0.0 to 7.0.13, 7.2.0 to 7.2.5, 7.4.0 to 7.4.2
These versions of FortiProxy and FortiOS are vulnerable and need immediate attention. If you are running any of the listed versions, your systems are at risk of exploitation.
Remediation:
Fortinet has released updates to address this vulnerability. The company recommends upgrading to the following patched versions:
-
FortiProxy: Upgrade to version 7.2.3 or later
-
FortiOS: Upgrade to version 7.0.14, 7.2.6, or 7.4.3 or later
In addition to upgrading, it is essential to Regularly monitor logs for any suspicious activity related to HTTP/2 requests.
Conclusion:
Organizations using vulnerable versions of FortiProxy and FortiOS must prioritize upgrading to the latest patched versions to prevent exploitation. The critical nature of the vulnerability, combined with its ease of exploitation, makes it a top priority for network security teams to address immediately.
Reference: https://www.fortiguard.com/psirt/FG-IR-24-029