CVE-2024-21758
📋 TL;DR
A stack-based buffer overflow vulnerability in Fortinet FortiWeb allows privileged users to execute arbitrary code via specially crafted CLI commands. This affects FortiWeb versions 7.2.0-7.2.7 and 7.4.0-7.4.1. Attackers must bypass FortiWeb's stack protections to exploit this vulnerability.
💻 Affected Systems
- Fortinet FortiWeb
📦 What is this software?
Fortiweb by Fortinet
Fortiweb by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with administrative privileges, allowing installation of persistent backdoors, data exfiltration, or lateral movement within the network.
Likely Case
Privilege escalation leading to unauthorized administrative access, configuration changes, or disruption of web application firewall services.
If Mitigated
Limited impact due to proper access controls, network segmentation, and stack protection mechanisms preventing successful exploitation.
🎯 Exploit Status
Exploitation requires privileged user credentials and ability to bypass FortiWeb's stack protection mechanisms.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.2.8 or 7.4.2 and later
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-23-458
Restart Required: Yes
Instructions:
1. Log into FortiWeb management interface. 2. Navigate to System > Dashboard. 3. Check for available firmware updates. 4. Download and install version 7.2.8 or 7.4.2. 5. Reboot the appliance after installation completes.
🔧 Temporary Workarounds
Restrict CLI Access
allLimit CLI access to trusted administrative users only and implement strong authentication controls.
config system admin
edit <admin_user>
set accprofile "super_admin"
set trusthost1 <trusted_ip> <trusted_mask>
end
Enable Stack Protection
allEnsure FortiWeb's built-in stack protection mechanisms are enabled and properly configured.
config system global
set stack-protection enable
end
🧯 If You Can't Patch
- Implement strict access controls to limit CLI access to essential administrative personnel only.
- Segment FortiWeb management interfaces from general network traffic and monitor for unusual CLI activity.
🔍 How to Verify
Check if Vulnerable:
Check FortiWeb firmware version via CLI: 'get system status' or web interface: System > Dashboard > System Information.Check Version:
get system status | grep VersionVerify Fix Applied:
Verify firmware version is 7.2.8 or higher for 7.2.x branch, or 7.4.2 or higher for 7.4.x branch.📡 Detection & Monitoring
Log Indicators:
- Unusual CLI command execution patterns
- Multiple failed authentication attempts followed by successful CLI access
- Suspicious process creation from CLI sessions
Network Indicators:
- Unusual SSH or management interface traffic patterns
- Anomalous connections to CLI ports from unexpected sources
SIEM Query:
source="fortiweb" AND (event_type="cli_command" AND command="*" ) | stats count by src_ip, user, command