SB2024031338 - Multiple vulnerabilities in Fortigate NGFW on Siemens RUGGEDCOM APE1808 devices
Published: March 13, 2024 Updated: February 21, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 secuirty vulnerabilities.
1) Out-of-bounds write (CVE-ID: CVE-2024-21762)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing HTTP requests in sslvpnd. A remote attacker can send specially crafted HTTP requests to the SSL-VPN service, trigger an out-of-bounds write and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild.
2) Format string error (CVE-ID: CVE-2024-23113)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a format string error within the fgfmd communication daemon. A remote non-authenticated attacker can send specially crafted requests to the device and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Heap-based buffer overflow (CVE-ID: CVE-2023-38545)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the SOCKS5 proxy handshake. A remote attacker can trick the victim to visit a malicious website, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system but requires that SOCKS5 proxy is used and that SOCKS5 handshake is slow (e.g. under heavy load or DoS attack).
4) External control of file name or path (CVE-ID: CVE-2023-38546)
The vulnerability allows an attacker to inject arbitrary cookies into request.
The vulnerability exists due to the way cookies are handled by libcurl. If a transfer has cookies enabled when the handle is duplicated, the
cookie-enable state is also cloned - but without cloning the actual
cookies. If the source handle did not read any cookies from a specific
file on disk, the cloned version of the handle would instead store the
file name as none (using the four ASCII letters, no quotes).
none - if such a file exists and is readable in the current directory of the program using libcurl. 5) Improper Privilege Management (CVE-ID: CVE-2023-44250)
The vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to improper privilege management when handling HA requests. A remote user can execute elevated actions via a specially crafted HTTP request.
6) Resource exhaustion (CVE-ID: CVE-2023-44487)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improperly control of consumption for internal resources when handling HTTP/2 requests with compressed HEADERS frames. A remote attacker can send a sequence of compressed HEADERS frames followed by RST_STREAM frames and perform a denial of service (DoS) attack, a.k.a. "Rapid Reset".
Note, the vulnerability is being actively exploited in the wild.
7) Improper Certificate Validation (CVE-ID: CVE-2023-47537)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to improper certificate validation in Fortilink. A remote attacker in a Man-in-the-Middle position can decipher and alter the FortiLink communication channel between the FortiOS device and a FortiSwitch instance.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.