Critical Security Alert: Fortinet PSIRT Announces Vulnerabilities in FortiSIEM, FortiProxy, FortiOS, FortiClientEMS, and FortiManager
Fortinet’s PSIRT (Product Security Incident Response Team) has released their vulnerability findings for February 2024. Multiple command injection vulnerabilities in FortiSIEM supervisor.
Why Should You Be Concerned?
Quality hardware and software vendors (like Fortinet) do their best to monitor and quickly remediate any vulnerabilities found in their products. Without patching those vulnerabilities, you leave yourself, your company, and your clients susceptible to attacks, potentially permitting threat actors access to your environment and data.
What Can Be Done?
Remember, timely updates are your first line of defense against potential cyber threats!
Don’t Delay—Reach Out for Expert Assistance
We at Helient monitor vulnerability release information from the security community and our vendors in order to stay on top of current threats and to ensure our client’s environments are patched and secured as quickly as possible.
What Is Affected?
This CVE affects the following:
[ FortiSASE – FortiProxy – FortiOS ] FortiOS & FortiProxy – CVE-2023-44487 – Rapid Reset HTTP/2 vulnerability
| Version | Affected | Solution |
| FortiOS 7.4 | 7.4.0 through 7.4.1 | Upgrade to 7.4.2 or above |
| FortiOS 7.2 | 7.2.0 through 7.2.6 | Upgrade to 7.2.7 or above |
| FortiOS 7.0 | 7.0.0 through 7.0.13 | Upgrade to 7.0.14 or above |
| Version | Affected | Solution |
| FortiProxy 7.4 | 7.4.0 through 7.4.1 | Upgrade to 7.4.2 or above |
| FortiProxy 7.2 | 7.2.0 through 7.2.7 | Upgrade to 7.2.8 or above |
| FortiProxy 7.0 | 7.0 all versions | Migrate to a fixed release |
[ FortiOS ] FortiOS – Fortilink lack of certificate validation
| Version | Affected | Solution |
| FortiOS 7.4 | 7.4.0 through 7.4.1 | Upgrade to 7.4.2 or above |
| FortiOS 7.2 | 7.2.0 through 7.2.6 | Upgrade to 7.2.7 or above |
| FortiOS 7.0 | 7.0 all versions | Migrate to a fixed release |
[ FortiSASE – FortiProxy – FortiOS ] FortiOS – Out-of-bound Write in sslvpnd
| Version | Affected | Solution |
| FortiOS 7.6 | Not affected | Not Applicable |
| FortiOS 7.4 | 7.4.0 through 7.4.2 | Upgrade to 7.4.3 or above |
| FortiOS 7.2 | 7.2.0 through 7.2.6 | Upgrade to 7.2.7 or above |
| FortiOS 7.0 | 7.0.0 through 7.0.13 | Upgrade to 7.0.14 or above |
| FortiOS 6.4 | 6.4.0 through 6.4.14 | Upgrade to 6.4.15 or above |
| FortiOS 6.2 | 6.2.0 through 6.2.15 | Upgrade to 6.2.16 or above |
| FortiOS 6.0 | 6.0 all versions | Migrate to a fixed release |
[ FortiWeb – FortiVoice – FortiSwitchManager – FortiSASE – FortiProxy – FortiPAM – FortiOS – FortiAuthenticator ] FortiOS – Format String Bug in fgfmd
| Version | Affected | Solution |
| FortiOS 7.4 | 7.4.0 through 7.4.2 | Upgrade to 7.4.3 or above |
| FortiOS 7.2 | 7.2.0 through 7.2.6 | Upgrade to 7.2.7 or above |
| FortiOS 7.0 | 7.0.0 through 7.0.13 | Upgrade to 7.0.14 or above |
[ FortiClientEMS ] FortiClientEMS – Improper privilege management for site super administrator
| Version | Affected | Solution |
| FortiClientEMS 7.2 | 7.2.0 through 7.2.2 | Upgrade to 7.2.3 or above |
| FortiClientEMS 7.0 | 7.0.6 through 7.0.10 | Upgrade to 7.0.11 or above |
| FortiClientEMS 7.0 | 7.0.0 through 7.0.4 | Upgrade to 7.0.11 or above |
| FortiClientEMS 6.4 | 6.4 all versions | Migrate to a fixed release |
| FortiClientEMS 6.2 | 6.2 all versions | Migrate to a fixed release |
[ FortiManager – FortiAnalyzer-BigData – FortiAnalyzer ] FortiManager – Informative error messages
FortiAnalyzer:
| Version | Affected | Solution |
| FortiAnalyzer 7.4 | 7.4.0 through 7.4.1 | Upgrade to 7.4.2 or above |
| FortiAnalyzer 7.2 | 7.2.0 through 7.2.3 | Upgrade to 7.2.4 or above |
| FortiAnalyzer 7.0 | 7.0 all versions | Migrate to a fixed release |
| FortiAnalyzer 6.4 | 6.4 all versions | Migrate to a fixed release |
| FortiAnalyzer 6.2 | 6.2 all versions | Migrate to a fixed release |
[ FortiSIEM ] FortiSIEM – Multiple remote unauthenticated os command injection
- FortiSIEM version 7.1.0 through 7.1.1
- FortiSIEM version 7.0.0 through 7.0.2
- FortiSIEM version 6.7.0 through 6.7.8
- FortiSIEM version 6.6.0 through 6.6.3
- FortiSIEM version 6.5.0 through 6.5.2
- FortiSIEM version 6.4.0 through 6.4.2
FortiAnalyzer – BigData:
| Version | Affected | Solution |
| FortiAnalyzer-BigData 7.4 | Not affected | Not Applicable |
| FortiAnalyzer-BigData 7.2 | 7.2.0 through 7.2.5 | Upgrade to 7.2.6 or above |
| FortiAnalyzer-BigData 7.0 | 7.0 all versions | Migrate to a fixed release |
| FortiAnalyzer-BigData 6.4 | 6.4 all versions | Migrate to a fixed release |
| FortiAnalyzer-BigData 6.2 | 6.2 all versions | Migrate to a fixed release |
Forti Manager:
| Version | Affected | Solution |
| FortiManager 7.4 | 7.4.0 through 7.4.1 | Upgrade to 7.4.2 or above |
| FortiManager 7.2 | 7.2.0 through 7.2.3 | Upgrade to 7.2.4 or above |
| FortiManager 7.0 | 7.0 all versions | Migrate to a fixed release |
| FortiManager 6.4 | 6.4 all versions | Migrate to a fixed release |
| FortiManager 6.2 | 6.2 all versions | Migrate to a fixed release |
[ FortiNAC ] FortiNAC – XSS in Show Audit Log
| Version | Affected | Solution |
| FortiNAC 9.4 | 9.4.0 through 9.4.3 | Upgrade to 9.4.4 or above |
| FortiNAC 9.2 | 9.2 all versions | Migrate to a fixed release |
| FortiNAC 9.1 | 9.1 all versions | Migrate to a fixed release |
| FortiNAC 8.8 | 8.8 all versions | Migrate to a fixed release |
| FortiNAC 8.7 | 8.7 all versions | Migrate to a fixed release |
| FortiNAC 8.6 | 8.6 all versions | Migrate to a fixed release |
| FortiNAC 8.5 | 8.5 all versions | Migrate to a fixed release |
| FortiNAC 8.3 | 8.3 all versions | Migrate to a fixed release |
| FortiNAC 7.2 | 7.2.0 through 7.2.2 | Upgrade to 7.2.3 or above |
We recognize the challenges that can accompany implementing critical security updates. That’s why our team of industry-leading networking experts stands ready to offer guidance and support.
For a smooth and effective upgrade process, contact us at service@helient.com.