Multiple vulnerabilities in Fortigate NGFW on Siemens RUGGEDCOM APE1808 devices
| Risk | Critical |
| Patch available | NO |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2024-21762 CVE-2024-23113 CVE-2023-38545 CVE-2023-38546 CVE-2023-44250 CVE-2023-44487 CVE-2023-47537 |
| CWE-ID | CWE-787 CWE-134 CWE-122 CWE-73 CWE-269 CWE-400 CWE-295 |
| Exploitation vector | Network |
| Public exploit |
Vulnerability #1 is being exploited in the wild. Vulnerability #2 is being exploited in the wild. Public exploit code for vulnerability #3 is available. Vulnerability #6 is being exploited in the wild. |
| Vulnerable software |
RUGGEDCOM APE1808 Hardware solutions / Routers & switches, VoIP, GSM, etc |
| Vendor | Siemens |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Out-of-bounds write
EUVDB-ID: #VU86278
Risk: Critical
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]
CVE-ID: CVE-2024-21762
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing HTTP requests in sslvpnd. A remote attacker can send specially crafted HTTP requests to the SSL-VPN service, trigger an out-of-bounds write and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild.
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsRUGGEDCOM APE1808: All versions
CPE2.3 External linkshttp://cert-portal.siemens.com/productcert/txt/ssa-832273.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
2) Format string error
EUVDB-ID: #VU86279
Risk: High
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]
CVE-ID: CVE-2024-23113
CWE-ID:
CWE-134 - Use of Externally-Controlled Format String
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a format string error within the fgfmd communication daemon. A remote non-authenticated attacker can send specially crafted requests to the device and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsRUGGEDCOM APE1808: All versions
CPE2.3 External linkshttp://cert-portal.siemens.com/productcert/txt/ssa-832273.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Heap-based buffer overflow
EUVDB-ID: #VU81865
Risk: High
CVSSv4.0: [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2023-38545
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the SOCKS5 proxy handshake. A remote attacker can trick the victim to visit a malicious website, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system but requires that SOCKS5 proxy is used and that SOCKS5 handshake is slow (e.g. under heavy load or DoS attack).
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsRUGGEDCOM APE1808: All versions
CPE2.3 External linkshttp://cert-portal.siemens.com/productcert/txt/ssa-832273.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) External control of file name or path
EUVDB-ID: #VU81863
Risk: Low
CVSSv4.0: [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-38546
CWE-ID:
CWE-73 - External Control of File Name or Path
Exploit availability: No
DescriptionThe vulnerability allows an attacker to inject arbitrary cookies into request.
The vulnerability exists due to the way cookies are handled by libcurl. If a transfer has cookies enabled when the handle is duplicated, the
cookie-enable state is also cloned - but without cloning the actual
cookies. If the source handle did not read any cookies from a specific
file on disk, the cloned version of the handle would instead store the
file name as none (using the four ASCII letters, no quotes).
none - if such a file exists and is readable in the current directory of the program using libcurl.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsRUGGEDCOM APE1808: All versions
CPE2.3 External linkshttp://cert-portal.siemens.com/productcert/txt/ssa-832273.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper Privilege Management
EUVDB-ID: #VU85208
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-44250
CWE-ID:
CWE-269 - Improper Privilege Management
Exploit availability: No
DescriptionThe vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to improper privilege management when handling HA requests. A remote user can execute elevated actions via a specially crafted HTTP request.
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsRUGGEDCOM APE1808: All versions
CPE2.3 External linkshttp://cert-portal.siemens.com/productcert/txt/ssa-832273.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Resource exhaustion
EUVDB-ID: #VU81728
Risk: High
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:A/U:Amber]
CVE-ID: CVE-2023-44487
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improperly control of consumption for internal resources when handling HTTP/2 requests with compressed HEADERS frames. A remote attacker can send a sequence of compressed HEADERS frames followed by RST_STREAM frames and perform a denial of service (DoS) attack, a.k.a. "Rapid Reset".
Note, the vulnerability is being actively exploited in the wild.
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsRUGGEDCOM APE1808: All versions
CPE2.3 External linkshttp://cert-portal.siemens.com/productcert/txt/ssa-832273.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
7) Improper Certificate Validation
EUVDB-ID: #VU86280
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-47537
CWE-ID:
CWE-295 - Improper Certificate Validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to improper certificate validation in Fortilink. A remote attacker in a Man-in-the-Middle position can decipher and alter the FortiLink communication channel between the FortiOS device and a FortiSwitch instance.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsRUGGEDCOM APE1808: All versions
CPE2.3 External linkshttp://cert-portal.siemens.com/productcert/txt/ssa-832273.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
