CVE-2024-23113: Format String Bug in fgfmd

First published: Thu Feb 08 2024(Updated: )

A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, FortiPAM versions 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiSwitchManager versions 7.2.0 through 7.2.3, 7.0.0 through 7.0.3 allows attacker to execute unauthorized code or commands via specially crafted packets.

Credit: psirt@fortinet.com psirt@fortinet.com

Affected Software	Affected Version	How to fix
Fortinet FortiOS	=6.0.x
Fortinet FortiOS
Fortinet FortiSIEM
Fortinet Multiple Products
Fortinet FortiProxy	>=7.0.0<=7.0.14
Fortinet FortiProxy	>=7.2.0<=7.2.8
Fortinet FortiProxy	>=7.4.0<=7.4.2
Fortinet FortiSwitchManager	>=7.0.0<=7.0.3
Fortinet FortiSwitchManager	>=7.2.0<=7.2.3
Fortinet FortiOS	>=7.0.0<=7.0.13
Fortinet FortiOS	>=7.2.0<=7.2.6
Fortinet FortiOS	>=7.4.0<=7.4.2
Fortinet FortiPAM	>=1.0.0<=1.0.3
Fortinet FortiPAM	>=1.1.0<=1.1.2
Fortinet FortiPAM	=1.2.0
Fortinet FortiOS	>=7.4.0<=7.4.2
Fortinet FortiOS	>=7.2.0<=7.2.6
Fortinet FortiOS	>=7.0.0<=7.0.13
Fortinet FortiPAM	>=1.2
Fortinet FortiPAM	>=1.1
Fortinet FortiPAM	>=1.0
Fortinet FortiProxy	>=7.4.0<=7.4.2
Fortinet FortiProxy	>=7.2.0<=7.2.8
Fortinet FortiProxy	>=7.0.0<=7.0.15
Fortinet FortiSwitchManager	>=7.2.0<=7.2.3
Fortinet FortiSwitchManager	>=7.0.0<=7.0.3
	>=7.0.0<=7.0.14
	>=7.2.0<=7.2.8
	>=7.4.0<=7.4.2
	>=7.0.0<=7.0.3
	>=7.2.0<=7.2.3
	>=7.0.0<=7.0.13
	>=7.2.0<=7.2.6
	>=7.4.0<=7.4.2
	>=1.0.0<=1.0.3
	>=1.1.0<=1.1.2
	=1.2.0

Remedy

Please upgrade to FortiWeb version 7.4.3 or above Please upgrade to FortiVoice version 7.0.2 or above Please upgrade to FortiVoice version 6.4.9 or above Please upgrade to FortiSwitchManager version 7.2.4 or above Please upgrade to FortiSwitchManager version 7.0.4 or above Please upgrade to FortiOS version 7.4.3 or above Please upgrade to FortiOS version 7.2.7 or above Please upgrade to FortiOS version 7.0.14 or above Please upgrade to FortiAuthenticator version 7.0.0 or above Please upgrade to FortiPAM version 1.2.1 or above Please upgrade to FortiPAM version 1.1.3 or above Please upgrade to FortiProxy version 7.4.3 or above Please upgrade to FortiProxy version 7.2.9 or above Please upgrade to FortiProxy version 7.0.16 or above

Remedy

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Never miss a vulnerability like this again

Reference Links

Peer vulnerabilities

(Found alongside the following vulnerabilities)

collector/bleeping-computer
source/BleepingComputer
alias/CVE-2024-21762
alias/CVE-2024-23113
alias/CVE-2023-44487
alias/CVE-2023-47537
agent/type
collector/the-register
source/The Register
alias/CVE-2024-23108
alias/CVE-2024-23109
alias/CVE-2023-34992
agent/first-publish-date
agent/weakness
agent/severity
collector/epss-latest
source/FIRST
agent/epss
agent/title
zeroday/true
agent/news-ai
agent/software-canonical-lookup
agent/software-canonical-lookup-request
exploited/true
collector/cisa-known-exploited
source/CISA
agent/remedy
agent/author
alias/CVE-2022-42475
collector/nvd-api
source/NVD
alias/CVE-2024-9379
alias/CVE-2024-9380
alias/CVE-2024-8963
alias/CVE-2024-8190
alias/CVE-2024-9381
agent/description
collector/mitre-cve
source/MITRE
agent/last-modified-date
collector/nvd-cve
agent/references
collector/fortiguard-psirt-latest
source/FortiGuard
agent/event
collector/fortiguard-psirt
agent/softwarecombine
agent/tags
alias/CVE-2024-47575
vendor/fortinet
canonical/fortinet fortios
version/fortinet fortios/6.0.x
canonical/fortinet fortisiem
canonical/fortinet multiple products
canonical/fortinet fortiproxy
version/fortinet fortiproxy/7.0.0
version/fortinet fortiproxy/7.0.14
version/fortinet fortiproxy/7.2.0
version/fortinet fortiproxy/7.2.8
version/fortinet fortiproxy/7.4.0
version/fortinet fortiproxy/7.4.2
canonical/fortinet fortiswitchmanager
version/fortinet fortiswitchmanager/7.0.0
version/fortinet fortiswitchmanager/7.0.3
version/fortinet fortiswitchmanager/7.2.0
version/fortinet fortiswitchmanager/7.2.3
version/fortinet fortios/7.0.0
version/fortinet fortios/7.0.13
version/fortinet fortios/7.2.0
version/fortinet fortios/7.2.6
version/fortinet fortios/7.4.0
version/fortinet fortios/7.4.2
canonical/fortinet fortipam
version/fortinet fortipam/1.0.0
version/fortinet fortipam/1.0.3
version/fortinet fortipam/1.1.0
version/fortinet fortipam/1.1.2
version/fortinet fortipam/1.2.0
version/fortinet fortipam/1.2
version/fortinet fortipam/1.1
version/fortinet fortipam/1.0
version/fortinet fortiproxy/7.0.15

CVE-2024-23113: Format String Bug in fgfmd

Remedy

Remedy

Never miss a vulnerability like this again

Reference Links

Peer vulnerabilities

Company

Resources

Contact