Announcement regarding critical vulnerability in Fortigate devices

A critical vulnerability in Fortigate devices was disclosed on 08.02.2024.

The security hole could lead to attacks on network infrastructure The vulnerability relates to SSL VPNs, which allows potential attackers to remotely execute code without authentication through a properly crafted HTTP request.

We recommend updating your devices immediately – and if you have any problem with this, the ITH engineering team is at your service.

All Fortigate devices managed by our network and security team were updated immediately after the security patch was released. All of our customers have also been notified of the vulnerability and the existence of this security hole – we RECOMMEND that you upgrade as soon as possible to minimize the risk of attacks.

If you can’t update the software (e.g. due to the lack of an active license), the only way to secure Fortigate is to disable the SSL VPN.

The vulnerability applies to all Fortigate devices, and its CVSS was valued at 9.6.

Useful links:

• https://www.fortiguard.com/psirt/FG-IR-24-029
• https://www.fortiguard.com/psirt/FG-IR-24-015
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21762
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23113
• https://sekurak.pl/krytyczna-podatnosc-rce-bez-uwierzytelnienia-na-urzadzeniach-z-fortios-latajcie-asap-fortigejty-lub-wylaczcie-ssl-vpn/

ITH’s NaaS product line offers Fortigate appliances on a subscription basis (both physical and virtual), including management. A description of the services can be found at: https://ith.eu/zarzadzany-firewall/ and https://ith.eu/zarzadzanie-siecia-przez-zespol-inzynierski/.

Our team of ITH Net and ITH Security network engineers continues to ensure the security and integrity of our clients’ IT systems.

The NOC ITH network team is available for your use, and we publish contact information at https://ith.eu/kontakt/

ITH is a nationwide provider of ICT solutions for business. ITH’s core services include Internet access, telephony, data center services, and hosting and domains. ITH’s innovative service is the construction of corporate infrastructure as a service. The ITH Group serves a total of more than 10,000 customers from all over Poland, and includes ITH, Hexerio – public cloud, and Kru.pl hosting platform – hosting and domains. The company is headquartered in Warsaw, and originated in Krakow where it is currently one of the largest providers of telecommunications services for business.