On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced the addition of a critical security vulnerability affecting Fortinet products to its Known Exploited Vulnerabilities (KEV) catalog. This action was taken in light of evidence indicating ongoing exploitation of this flaw.
Identified as CVE-2024-23113, this vulnerability has a CVSS score of 9.8 and pertains to a remote code execution issue impacting FortiOS, FortiPAM, FortiProxy, and FortiWeb platforms. Fortinet’s advisory, released in February 2024, noted that a vulnerability related to externally-controlled format strings in the FortiOS fgfmd daemon could enable remote, unauthenticated attackers to execute arbitrary code through specially crafted requests.
The nature of the exploitation remains largely undisclosed, as CISA’s bulletin lacks specifics regarding the perpetrators or targeted entities. In response to the risings threats linked to this flaw, Federal Civilian Executive Branch (FCEB) agencies are required to implement vendor-supplied mitigations by October 30, 2024, to enhance security defenses.
Palo Alto Networks Reveals Serious Vulnerabilities in Expedition
In a related incident, Palo Alto Networks disclosed multiple vulnerabilities within its Expedition product that could allow unauthorized access to sensitive information, including database contents and arbitrary files. These vulnerabilities, affecting all Expedition versions prior to 1.2.96, collectively pose significant risks to security.
The disclosure specifies vulnerabilities such as CVE-2024-9463, a CVSS score of 9.9, which enables unauthenticated attackers to execute arbitrary OS commands as root. Other critical vulnerabilities, such as CVE-2024-9465 (CVSS score: 9.2), involve SQL injection attacks that could expose Expedition database contents. Furthermore, authenticated attackers could exploit vulnerabilities to reveal sensitive information, including usernames and device API keys, as outlined by Palo Alto Networks in a recent advisory.
While the vulnerabilities have been publicly documented, there is no evidence that they have been actively exploited thus far. Horizon3.ai has already made details available for reproducing the issues, emphasizing potential defensive measures such as limiting access to authorized personnel and restricting the software’s availability when not in use.
Cisco Addresses Critical Flaw in Nexus Dashboard Fabric Controller
Last week, Cisco released patches to address a command execution vulnerability—tracked as CVE-2024-20432 (CVSS score: 9.9)—in its Nexus Dashboard Fabric Controller (NDFC). This flaw, resulting from inadequate user authorization and insufficient validation of command arguments, can be exploited by low-privileged remote users to perform command injection attacks on affected devices.
This new vulnerability was found to permit attackers to manipulate REST API commands or commands submitted via the web interface to execute arbitrary commands on the NDFC CLI with network-admin privileges. Cisco emphasized that this critical vulnerability has already been remediated in NDFC version 12.2.2, while versions 11.5 and earlier remain unaffected.
As these vulnerabilities come to light, they underscore the heightened cybersecurity risks faced by organizations. The exposure of critical flaws, especially ones involving remote code execution and command injection, indicates a need for comprehensive assessments of existing security protocols. Organizations should prioritize applying timely updates and patches as part of their ongoing risk management strategies to safeguard their systems against potential exploitation, according to the MITRE ATT&CK framework, which outlines such techniques as initial access and privilege escalation as relevant tactics likely employed in these attacks.
