CISA Flags Fortinet and Ivanti Vulnerabilities: A Call to Action for Cybersecurity

The cybersecurity landscape is ever-evolving, and recent developments have highlighted the urgent need for vigilance among organizations relying on Fortinet and Ivanti products. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added vulnerabilities in these products to its Known Exploited Vulnerabilities (KEV) catalog, signaling that they are currently being exploited in the wild. This announcement marks yet another challenging chapter for security vendors, particularly as they grapple with a year fraught with vulnerabilities.

Fortinet’s Vulnerability: A Critical Threat

The vulnerability affecting Fortinet products, tracked as CVE-2024-23113, was initially disclosed in February 2024 during what many have dubbed a "week to forget" for the company. Despite its critical severity rating of 9.8, the vulnerability did not receive the attention it warranted at the time, overshadowed by other critical bugs like CVE-24-21762 that were actively being exploited.

CVE-2024-23113 is a format string vulnerability that impacts the FortiOS fgfmd daemon, allowing remote attackers to execute arbitrary code and commands through specially crafted packets. This vulnerability affects a wide range of Fortinet products, including:

• FortiOS: Versions 7.0.0 through 7.0.13, 7.2.0 through 7.2.6, and 7.4.0 through 7.4.2
• FortiPAM: All versions of 1.0, 1.1, and 1.2
• FortiProxy: Versions 7.0.0 through 7.0.15, 7.2.0 through 7.2.8, and 7.4.0 through 7.4.2
• FortiWeb: Versions 7.4.0 through 7.4.2

Fortinet has recommended that organizations apply the relevant patches as soon as possible. However, for those unable to do so immediately, a temporary workaround is available. Administrators can remove fgfm access for every vulnerable interface, which will prevent FortiManager from discovering FortiGate devices. While this measure can reduce the attack surface, it does not eliminate the vulnerability entirely. Fortinet cautions that a local-in policy allowing fgfm connections from a specific IP can mitigate risks but does not prevent exploitation from that IP.

CISA’s KEV catalog entries also indicate whether vulnerabilities are known to be used in ransomware attacks. In this case, the status is marked as "unknown," which, while preferable to a confirmed exploitation in ransomware, should not delay remediation efforts for this nine-month-old vulnerability.

Ivanti’s Troubles: New Vulnerabilities Discovered

Ivanti’s year has been equally tumultuous, marked by a significant patching mishap related to multiple Connect Secure vulnerabilities. This led to the company’s commitment to a "secure-by-design" overhaul in April 2024. However, the vulnerabilities recently added to CISA’s KEV list are new and pertain to Ivanti Cloud Services Application (CSA), which is designed to facilitate secure remote connections.

The first vulnerability, CVE-2024-9379, is an SQL injection vulnerability in the CSA admin web console, carrying a medium severity rating of 6.5. This flaw allows attackers with admin privileges to execute SQL statements or run code, affecting all CSA versions prior to 5.0.2, including the end-of-life version 4.6.

The second vulnerability, CVE-2024-9380, is an OS command injection bug with a higher severity rating of 7.2. This vulnerability also allows for code execution and affects CSA 5.0. The vendor reported that some customers running the EOL version 4.6 were being targeted with these two vulnerabilities, which were found to be chained with CVE-2024-8963, a critical path traversal bug rated at 9.4.

Ivanti has emphasized the importance of reviewing the CSA for any modified or newly added administrative users, as some attack attempts may be logged locally. The company recommends a layered security approach, including the installation of Endpoint Detection and Response (EDR) tools on the CSA. In cases of suspected compromise, Ivanti advises customers to rebuild their CSA using version 5.0.2.

Conclusion: The Imperative of Cyber Hygiene

The recent vulnerabilities in Fortinet and Ivanti products serve as a stark reminder of the ever-present threats in the cybersecurity landscape. Organizations must prioritize patch management and implement robust security measures to protect their systems from exploitation. With CISA’s KEV catalog highlighting these vulnerabilities, the time for action is now. Cyber hygiene is not just a best practice; it is a necessity in safeguarding sensitive data and maintaining the integrity of digital infrastructures. As the threat landscape continues to evolve, vigilance and proactive measures will be key to navigating the challenges ahead.