Insights | Integrity360

Triple Threat Advisory – Fortinet, Palo Alto and Cisco issue threat warnings

Written by Integrity360 | 10 October 2024 13:56:11 Z

Fortinet –  CVE-2024-23113 (CVSS score: 9.8)

This vulnerability was initially published on 08 February 2024.

The vulnerability, tracked as CVE-2024-23113 (CVSS score: 9.8), relates to cases of remote code execution that affects FortiOS, FortiPAM, FortiProxy, and FortiWeb. The flaw arises from the use of an externally-controlled format string within the fgfmd daemon, which handles authentication requests and manages keep-alive messages.

Summary:

A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, FortiPAM versions 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiSwitchManager versions 7.2.0 through 7.2.3, 7.0.0 through 7.0.3 allows attacker to execute unauthorized code or commands via specially crafted packets.

Exploited in the wild:

CISA has confirmed that this vulnerability is being actively exploited in the wild. Attackers are leveraging this flaw to gain unauthorized access to vulnerable systems without requiring user interaction or elevated privileges, making it a low-complexity attack vector.

The exploitation of this vulnerability poses significant risks to organisations, especially those using these products in critical infrastructure.

Recommendations:

Fortinet has already released patches to address the CVE-2024-23113 vulnerability. Organisations are strongly advised to upgrade their systems to the latest versions as follows:

  • FortiOS: Upgrade to version 7.4.3 or above.
  • FortiProxy: Upgrade to version 7.4.3 or above.
  • FortiPAM: Upgrade to version 1.2.1 or above.
  • FortiWeb: Upgrade to version 7.4.3 or above.

Organisations must act swiftly to apply patches and implement mitigation strategies to protect their systems from unauthorised access and potential data breaches.

 

Follow the recommended upgrade path using Fortinet’s tool at: https://docs.fortinet.com/upgrade-tool

Workarounds
For each interface, remove the fgfm access, for example change :
config system interface
edit "portX"
set allowaccess ping https ssh fgfm
next
end
to :
config system interface
edit "portX"
set allowaccess ping https ssh
next
end
Note that this will prevent FortiGate discovery from FortiManager. Connection will still be possible from FortiGate.
Please also note that a local-in policy that only allows FGFM connections from a specific IP will reduce the attack surface but it won't prevent the vulnerability from being exploited from this IP. As a consequence, this should be used as a mitigation and not as a complete workaround.

Please see more on: https://www.fortiguard.com/psirt/FG-IR-24-029

CISA Adds Three Known Exploited Vulnerabilities to Catalog | CISA

 

 

Palo Alto – CVE-2024-9463 (CVSS score: 9.9)

Summary:

Multiple vulnerabilities in Palo Alto Networks Expedition allow an attacker to read Expedition database contents and arbitrary files, as well as write arbitrary files to temporary storage locations on the Expedition system. Combined, these include information such as usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

These issues do not affect the firewalls, Panorama, Prisma Access, or Cloud NGFW.

The vulnerabilities, which affect all versions of Expedition prior to 1.2.96, are listed below -

  • CVE-2024-9463 (CVSS score: 9.9) - An operating system (OS) command injection vulnerability that allows an unauthenticated attacker to run arbitrary OS commands as root
  • CVE-2024-9464 (CVSS score: 9.3) - An OS command injection vulnerability that allows an authenticated attacker to run arbitrary OS commands as root
  • CVE-2024-9465 (CVSS score: 9.2) - An SQL injection vulnerability that allows an unauthenticated attacker to reveal Expedition database contents
  • CVE-2024-9466 (CVSS score: 8.2) - A cleartext storage of sensitive information vulnerability that allows an authenticated attacker to reveal firewall usernames, passwords, and API keys generated using those credentials
  • CVE-2024-9467 (CVSS score: 7.0) - A reflected cross-site scripting (XSS) vulnerability that enables execution of malicious JavaScript in the context of an authenticated Expedition user's browser if that user clicks on a malicious link, allowing phishing attacks that could lead to Expedition browser session theft

Solution:

The fixes for all listed issues are available in Expedition 1.2.96, and all later Expedition versions.

The cleartext file affected by CVE-2024-9466 will be removed automatically during the upgrade.

All Expedition usernames, passwords, and API keys should be rotated after upgrading to the fixed version of Expedition.

All firewall usernames, passwords, and API keys processed by Expedition should be rotated after updating.

 Workarounds and Mitigations:

Ensure networks access to Expedition is restricted to authorized users, hosts, or networks.

If Expedition is not in active use, ensure that Expedition software is shut down.

For CVE-2024-9465, you can check for an indicator of compromise with the following command on an Expedition system (replace "root" with your username if you are using a different username):

mysql -uroot -p -D pandb -e "SELECT * FROM cronjobs;"

If you see any records returned, this indicates a potential compromise. Please note that if no records are returned, the system may still be compromised. This is only intended to indicate a potential compromise, rather than confirm a system has not been compromised.

There are no practical indicators of compromise for the remainder of the CVEs in this advisory.

Customers are advised to keep an eye on the tracked CVE on the Paloalto Security Advisories page for any changes: https://security.paloaltonetworks.com/PAN-SA-2024-0010

 

Cisco  – CVE-2024-20432 (CVSS score: 9.9)

Summary:

Tracked as CVE-2024-20432 (CVSS score: 9.9), it could permit an authenticated, low-privileged, remote attacker to perform a command injection attack against an affected device. The flaw has been addressed in NDFC version 12.2.2. It's worth noting that versions 11.5 and earlier are not susceptible.

This vulnerability is due to improper user authorization and insufficient validation of command arguments. An attacker could exploit this vulnerability by submitting crafted commands to an affected REST API endpoint or through the web UI. A successful exploit could allow the attacker to execute arbitrary commands on the CLI of a Cisco NDFC-managed device with network-admin privileges.

Affected Products:

This vulnerability affects Cisco NDFC.

Note: This vulnerability does not affect Cisco NDFC when it is configured for SAN controller deployment.

Note: Starting with Cisco Nexus Dashboard Release 3.1(1k), Cisco NDFC is distributed in Cisco Nexus Dashboard unified releases.

Recommendation:

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Note: Starting with Cisco Nexus Dashboard Release 3.1(1k), Cisco NDFC is distributed in Cisco Nexus Dashboard unified releases. Cisco Nexus Dashboard Release 3.2(1e) includes Cisco NDFC Release 12.2.2.

Further Patching On Other Cisco products:

There are further vulnerabilities in other Cisco products which have had patches/security fixes already available. Patches are available for all vulnerabilities, which admins should apply quickly. All information can also be found on Cisco's overview page.

Customers are advised to look at their products and apply security patches as soon as possible.