Fortinet RCE Vulnerability Audit – CVE-2024-21762
Network Devices VulnerabilityDiscover Fortinet Devices Vulnerable to CVE-2024-21762 in Your IT Estate
Fortinet has released updates for several versions of FortiOS in response to a critical remote code execution vulnerability in FortiOS SSL VPN. Fortinet describes the vulnerability as «An out-of-bounds write vulnerability in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests.»
They also mention that the vulnerability is potentially being exploited in the wild. The report below will give you an overview of all vulnerable Fortinet devices in your network. You can read more about this CVE in the Fortinet CVE-2024-21762 vulnerability blog post.
The version information of your FortiOS installations will not be scanned by default. You will have to add this information to your scan manually using custom OID scanning. You can easily find the correct OID in the MIB library.
Fortinet CVE-2024-21762 Vulnerability Lansweeper On-Prem Query
Select Top 1000000 tblAssets.AssetID, tblAssets.AssetName, tsysAssetTypes.AssetTypeIcon10 As icon, tblAssets.IPAddress, tsysIPLocations.IPLocation, tblAssetCustom.Manufacturer, tblAssetCustom.Model, tblAssets.Description, Subquery1.Label As OID, Subquery1.Data As Version, Right(Subquery1.DataClean, CharIndex('v', Reverse(Subquery1.DataClean)) - 1) As [Version (Normalized)], Case When Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v', Reverse(Subquery1.DataClean)) - 1), 3) As int) = 7 And Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v', Reverse(Subquery1.DataClean)) - 1), 2) As int) = 4 And Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v', Reverse(Subquery1.DataClean)) - 1), 1) As int) < 3 Then 'Vulnerable' When Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v', Reverse(Subquery1.DataClean)) - 1), 3) As int) = 7 And Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v', Reverse(Subquery1.DataClean)) - 1), 2) As int) = 2 And Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v', Reverse(Subquery1.DataClean)) - 1), 1) As int) < 7 Then 'Vulnerable' When Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v', Reverse(Subquery1.DataClean)) - 1), 3) As int) = 7 And Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v', Reverse(Subquery1.DataClean)) - 1), 2) As int) = 0 And Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v', Reverse(Subquery1.DataClean)) - 1), 1) As int) < 14 Then 'Vulnerable' When Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v', Reverse(Subquery1.DataClean)) - 1), 3) As int) = 6 And Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v', Reverse(Subquery1.DataClean)) - 1), 2) As int) = 4 And Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v', Reverse(Subquery1.DataClean)) - 1), 1) As int) < 15 Then 'Vulnerable' When Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v', Reverse(Subquery1.DataClean)) - 1), 3) As int) = 6 And Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v', Reverse(Subquery1.DataClean)) - 1), 2) As int) = 2 And Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v', Reverse(Subquery1.DataClean)) - 1), 1) As int) < 16 Then 'Vulnerable' When Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v', Reverse(Subquery1.DataClean)) - 1), 3) As int) = 6 And Cast(ParseName(Right(Subquery1.DataClean, CharIndex('v', Reverse(Subquery1.DataClean)) - 1), 2) As int) = 0 Then 'Vulnerable' Else 'Safe' End As [FortiOS Vulnerable], Case When tblErrors.ErrorText Is Not Null Or tblErrors.ErrorText != '' Then 'Scanning Error: ' + tsysasseterrortypes.ErrorMsg Else '' End As ScanningErrors, tblAssets.Lastseen, tblAssets.Lasttried From tblAssets Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype Inner Join tsysIPLocations On tsysIPLocations.LocationID = tblAssets.LocationID Inner Join tblState On tblState.State = tblAssetCustom.State Left Join (Select tblOIDData.AssetID, tblOIDData.Label, tblOIDData.Data, SubString(tblOIDData.Data, CharIndex('v', tblOIDData.Data), CharIndex(',', tblOIDData.Data) - 1 - CharIndex('v', tblOIDData.Data) + Len(',')) As DataClean From tblOIDData Where tblOIDData.Label = 'fg sys version' And tblOIDData.Data Not Like '%data%') As Subquery1 On Subquery1.AssetID = tblAssets.AssetID Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID, Max(tblErrors.Teller) As ErrorID From tblErrors Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID = ScanningError.ID Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype = tblErrors.ErrorType Where tblAssetCustom.Manufacturer Like '%fortinet%' And tblState.Statename = 'Active' Order By tblAssetCustom.Model, tblAssets.IPAddress, Subquery1.DataClean