Fortinet, a leader in cybersecurity solutions, has released patches addressing several vulnerabilities affecting its FortiOS, FortiProxy, FortiPAM, FortiSwitchManager, FortiManager, and FortiAnalyzer products.

If exploited, these vulnerabilities could potentially allow unauthorized access and privilege escalation, posing a significant threat to affected systems.

Vulnerability Details

CVE-2022-45862

The graphical user interface (GUI) of FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager was identified as having an insufficient session expiration vulnerability (CWE-613).

This flaw could allow attackers to reuse web sessions after a user has logged out, provided they have acquired the necessary credentials.

The vulnerability has a CVSSv3 score of 3.5, indicating a medium severity level due to improper access control. Affected products and their solutions include:

• FortiOS: Versions 7.2.0 through 7.2.5 are affected and require an upgrade to 7.2.6 or above. All versions of 7.0 and 6.4 are affected and need migration to a fixed release.
• FortiPAM: All versions from 1.0 to 1.3 are affected and require migration to a fixed release.
• FortiProxy: All versions of 7.2 and 7.0 are affected and need migration to a fixed release.
• FortiSwitchManager: Versions 7.2.0 through 7.2.1 are affected and should be upgraded to 7.2.2 or above.

CVE-2024-21757

An unverified password change vulnerability (CWE-620) was found in FortiManager and FortiAnalyzer. This issue could allow a read-write user to modify admin passwords via device configuration backup, leading to potential privilege escalation.

The vulnerability carries a CVSSv3 score of 5.5. Affected versions and solutions are:

• FortiAnalyzer: Versions 7.4.0 through 7.4.1 need an upgrade to 7.4.2 or above, and versions 7.2.0 through 7.2.4 should be upgraded to 7.2.5 or above.
• FortiManager: Versions 7.4.0 through 7.4.1 require an upgrade to 7.4.2 or above, and versions 7.2.0 through 7.2.4 should be upgraded to 7.2.5 or above.

CVE-2024-36505

This improper access control vulnerability (CWE-284) in FortiOS allows an attacker with write access to bypass the file integrity checking system. It has a CVSSv3 score of 4.7. The following versions are affected and require updates:

• FortiOS: Versions 7.4.0 through 7.4.3 should be upgraded to 7.4.4 or above, versions 7.2.5 through 7.2.7 should be upgraded to 7.2.8 or above, and versions 7.0.12 through 7.0.14 should be upgraded to 7.0.15 or above.

As of now, Fortinet has not disclosed any incidents where these vulnerabilities have been used in attacks.

Fortinet advises all users and administrators to apply the necessary updates to mitigate these vulnerabilities. The patches are crucial to maintaining system security and preventing potential exploitation by cyber threat actors.