Threat actor Hunt3rkill3rs1 is offering a CVE-2024-21762 exploit sale on a dark web forum. The exploit is designed to capitalize on the vulnerability identified as CVE-2024-21762, impacting Fortinet’s FortiOS and FortiProxy systems.
This exploit targets an out-of-bounds write vulnerability within SSL VPN, enabling unauthorized execution of code or commands by leveraging meticulously crafted requests, ultimately paving the way for remote code execution (RCE) on the compromised system.
CVE-2024-21762 Exploit Sale Targets SSL VPN Functionality of FortiOS
The post made by the threat actor on BreachForums, dubbed “CVE-2024-21762 Exploit by Hunt3rkill3rs1,” appeared on March 23, 2024. It shed light on a severe security flaw within FortiOS, particularly concerning the SSL VPN.
FortiGate had previously released an update in February, addressing various vulnerabilities, among which was this unauthorized out-of-bounds write vulnerability. The exploit sale post hinted at the gravity of the situation, stating that the vulnerability had the potential to be exploited in the wild. “This is potentially being exploited in the wild”, says FortiGuard.
Hunt3rkill3rs1, the individual behind the exploit sale, detailed the process of exploiting this vulnerability, offering insights into the method used to achieve remote code execution. The post included a proof-of-concept (PoC) to demonstrate the efficacy of the exploit, accompanied by a link allowing interested parties to purchase the exploit for $315 in Bitcoin.
Technical Analysis of the PoC
Upon closer examination of the provided PoC code, The Cyber Express found a Python script tailored to exploit CVE-2024-21762, a vulnerability affecting Fortinet’s FortiOS and FortiProxy systems. The script orchestrated HTTP requests directed at specific IP addresses and ports, aiming to exploit the vulnerability and execute arbitrary code on the target system.
It comprised modules for essential functionalities such as socket creation and payload transmission, alongside a main function responsible for generating and dispatching the exploit payloads. Comments and placeholders within the script hinted at its potential for unauthorized access or control over the targeted systems.
The Cyber Express has reached out to the organization to verify the authenticity of the CVE-2024-21762 exploit sale. However, at the time of writing this, no official statement or response has been received, leaving the claims made by the Hunt3rkill3rs1 stand unconfirmed right now.
The CVE-2024-21762 Advisory
This incident follows Fortinet’s disclosure on February 8, 2024, revealing multiple critical vulnerabilities within FortiOS, the operating system underpinning Fortigate SSL VPNs. Among these vulnerabilities was CVE-2024-21762, which, according to Fortinet, posed a serious threat by potentially allowing remote attackers to execute arbitrary code or commands on Fortinet SSL VPNs through crafted HTTP requests.
Notably, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed CVE-2024-21762 on their Known Exploited Vulnerabilities (KEV) list as of February 9, 2024, confirming instances of exploitation in the wild. Products affected by CVE-2024-21762 include various versions of FortiOS and FortiProxy. While Fortinet initially omitted FortiProxy from the list of affected products, subsequent updates acknowledged its vulnerability.
Fortinet has provided mitigation guidance recommending fixed versions to address CVE-2024-21762. Customers are advised to upgrade to the following versions or newer:
- FortiOS: 7.4.3 or later, 7.2.7 or later, 7.0.14 or later, 6.4.15 or later, 6.2.16 or later.
- FortiProxy: 7.4.3 or later, 7.2.9 or later, 7.0.15 or later, 2.0.14 or later.
Moreover, customers are encouraged to disable SSL VPN as a workaround, with a warning that disabling webmode is not deemed a workable solution.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
