CISA adds fresh Ivanti vuln, critical Fortinet bug to hall of shame

The US Cybersecurity and Infrastructure Security Agency (CISA) says vulnerabilities in Fortinet and Ivanti products are now being exploited, earning them places in its Known Exploited Vulnerabilities (KEV) catalog.

It comes as the latest blow to the security shops, which haven't had the best year in terms of vulnerabilities.

The vulnerability affecting multiple Fortinet products was first disclosed back in February during what came to be known as a week to forget for the company.

Despite carrying a critical (9.8) severity rating, it flew somewhat under the radar due to other critical bugs such as CVE-24-21762 being actively exploited at the time.

Tracked as CVE-2024-23113, the format string vulnerability affects the FortiOS fgfmd daemon and allows remote attackers to execute code and commands via specially crafted packets.

It affects an array of products – FortiOS, FortiPAM, FortiProxy, and FortiWeb – and different versions therein.

• FortiOS 7.0.0 through 7.0.13

• FortiOS 7.2.0 through 7.2.6

• FortiOS 7.4.0 through 7.4.2

• FortiPAM 1.0 all versions

• FortiPAM 1.1 all versions

• FortiPAM 1.2 all versions

• FortiProxy 7.0.0 through 7.0.15

• FortiProxy 7.2.0 through 7.2.8

• FortiProxy 7.4.0 through 7.4.2

• FortiWeb 7.4.0 through 7.4.2

As ever, applying the relevant patches is recommended, but if for whatever reason that can't be done right away, Fortinet said a workaround can be implemented as a temporary measure.

It requires admins to remove the fgfm access for every vulnerable interface. While this will prevent FortiManager from discovering FortiGate devices, connections will still be possible from FortiGate.

"Please also note that a local-in policy that only allows fgfm connections from a specific IP will reduce the attack surface but it won't prevent the vulnerability from being exploited from this IP," the advisory reads. "As a consequence, this should be used as a mitigation and not as a complete workaround."

Every entry on CISA's KEV list helpfully carries information about whether the vulnerability is known to be used in ransomware attacks. The value is set to "unknown" in this case, which of course is better than a yes, but shouldn't serve as a reason to delay fixing the nine-month-old bug.

Ivanti's turn

Ivanti's start to the year was equally if not more tumultuous than Fortinet's. A patching mishap related to multiple Connect Secure vulnerabilities led to its secure-by-design overhaul commitment in April.

The vulnerabilities recently added to CISA's KEV list are new, however, rather than relating to the earlier issues, and affect Ivanti Cloud Services Application (CSA), which facilitates secure remote connections to resources.

The first is CVE-2024-9379 – an SQL injection vulnerability in the CSA admin web console carrying a 6.5 (medium) severity rating. It allows attackers with admin privileges to run SQL statements or execute code and affects CSA versions before 5.0.2, which of course includes version 4.6 – an end-of-life release that received its last update in September.

Ivanti CSA's admin web console is also the source of the second vulnerability that's now known to be exploited. CVE-2024-9380 is an OS command injection bug that has a slightly higher 7.2 (high) severity rating and can also lead to code execution.

• Ivanti patches exploited admin command execution flaw
• Ivanti commits to secure-by-design overhaul after vulnerability nightmare
• Uncle Sam's had it up to here with 'unforgivable' SQL injection flaws
• Fortinet's week to forget: Critical vulns, disclosure screw-ups, and that toothbrush DDoS attack claim

The vendor said it was made aware that some customers running the EOL version 4.6 were being attacked with these two vulnerabilities chained with CVE-2024-8963 – a 9.4 (critical) path traversal bug leading to restricted functionality being accessed.

Although the two vulnerabilities affect CSA 5.0, no exploits have been observed in appliances running this version.

"It is important for customers to know, CVE-2024-8963 was incidentally addressed in previous versions of CSA 5.0 with the removal of unnecessary code," said Ivanti in its advisory. 

"The vulnerabilities disclosed were discovered during our investigation into the exploitation of CVE-2024-8963 and CVE-2024-8190 in CSA 4.6 and found to be present, although not exploited, in CSA 5.0."

Curiously, Ivanti also noted that a separate path traversal vulnerability, CVE-2024-9381, was also being exploited while being chained with CVE-2024-8963, but it wasn't added to CISA's KEV catalog.

"Ivanti recommends reviewing the CSA for modified or newly added administrative users," the advisory went on to say. "While inconsistent, some attempts may show up in the broker logs which are local to the system. We also recommend reviewing EDR alerts, if you have installed EDR or other security tools on your CSA. As this is an edge device, Ivanti strongly recommends using a layered approach to security and installing an EDR tool on the CSA.

"If you suspect compromise, Ivanti's recommendation is that you rebuild your CSA with version 5.0.2." ®