Fortinet Family (FortiADC, FortiExtender) Security Update Recommendations

Jul 12 2024

Overview

An update has been made available to fix vulnerabilities in Fortinet products. Users of affected versions are advised to update to the latest version.

Affected Products

Cve-2024-27784, cve-2024-27783, cve-2024-27782

FortiAIOps 2.0 version: 2.0.0

CVE-2023-50178

FortiADC 7.4 version: 7.4.0
FortiADC 7.2 versions: 7.2.0 (inclusive) ~ 7.2.3 (inclusive)
FortiADC 7.1 versions: 7.1 All
FortiADC 7.0 version: 7.0 All
FortiADC 6.2 version: 6.2 All
FortiADC 6.1 version: 6.1 All
FortiADC 6.0 version: 6.0 All

CVE-2024-23663

FortiExtender 7.4 versions: 7.4.0 (inclusive) ~ 7.4.2 (inclusive)
FortiExtender 7.2 versions: 7.2.0 (inclusive) ~ 7.2.4 (inclusive)
FortiExtender 7.0 versions: 7.0.0 (inclusive) ~ 7.0.4 (inclusive)

Resolved Vulnerabilities

Vulnerability that could allow an authenticated remote attacker to retrieve sensitive information from the API endpoint or log files (CVE-2024-27784 )

CSRF vulnerability allows an unauthenticated remote attacker to execute arbitrary actions on behalf of an authenticated user by tricking the victim into executing a malicious GET request (CVE-2024-27783)

A session expiration vulnerability could allow an attacker to reuse an existing stolen session token to perform unauthorized actions via crafted requests (CVE-2024-27782)

Improper certificate validation vulnerability that could allow remote and unauthenticated attackers to conduct man-in-the-middle attacks against various remote servers and device-to-device communication channels, such as private SDN connectors and FortiToken Cloud (CVE-2023-50178)

Vulnerability Patches

Vulnerability patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

Cve-2024-27784, cve-2024-27783, cve-2024-27782