Fortinet Product Security Update Advisory
Overview
We have released security updates to fix vulnerabilities in Fortinet products. Users of affected products are advised to update to the latest version.
Affected Products
CVE-2024-55591
FortiOS 7.0 versions: 7.0.0 through 7.0.16 (inclusive)
FortiProxy 7.2 Versions: 7.2.0 through 7.2.12 (inclusive)
FortiProxy 7.0 versions: 7.0.0 through 7.0.19 (inclusive)
CVE-2024-23106
FortiClientEMS 7.2 Versions: 7.2.0 through 7.2.3 (inclusive)
FortiClientEMS 7.0 Versions: 7.0.0 through 7.0.10 (inclusive)
FortiClientEMS 6.4 versions: all versions
FortiClientEMS 6.2 Versions: all versions
CVE-2024-27778
FortiSandbox 4.4 Versions: 4.4.0 through 4.4.4 (inclusive)
FortiSandbox 4.2 Versions: 4.2.0 through 4.2.6 (inclusive)
FortiSandbox 4.0 versions: 4.0.0 through 4.0.4 (inclusive)
FortiSandbox 3.2 versions: all versions (included)
FortiSandbox 3.1 Versions: All versions (included)
FortiSandbox 3.0 versions: 3.0.5 through 3.0.7 (inclusive)
CVE-2024-35273
FortiAnalyzer 7.4 Versions: 7.4.0 through 7.4.3 (inclusive)
FortiAnalyzer Cloud 7.4 versions: 7.4.1 through 7.4.2 (inclusive)
FortiManager Cloud 7.4 versions: 7.4.1 through 7.4.2 (inclusive)
FortiManager 7.4 versions: 7.4.0 through 7.4.2 (inclusive)
CVE-2024-35277
FortiManager Cloud 7.4 Versions: 7.4.1 through 7.4.2 (inclusive)
FortiManager Cloud 7.2 Versions: 7.2.1 through 7.2.5 (inclusive)
FortiManager Cloud 7.0 versions: 7.0.1 through 7.0.12 (inclusive)
FortiManager 7.4 versions: 7.4.0 through 7.4.2 (inclusive)
FortiManager 7.2 versions: 7.2.0 through 7.2.5 (inclusive)
FortiManager 7.0 versions: 7.2.0 through 7.0.12 (inclusive)
FortiManager 6.4 versions: 6.4.0 through 6.4.14 (inclusive)
CVE-2024-36512
FortiAnalyzer 7.4 Versions: 7.4.0 through 7.4.3 (inclusive)
FortiAnalyzer 7.2 Versions: 7.4.0 through 7.4.3 (inclusive)
FortiAnalyzer 7.0 versions: 7.4.0 through 7.4.3 (inclusive)
FortiAnalyzer 6.2 versions: 7.4.0 through 7.4.3 (inclusive)
FortiManager 7.4 versions: 7.4.0 through 7.4.2 (inclusive)
FortiManager 7.2 versions: 7.2.0 through 7.2.5 (inclusive)
FortiManager 7.0 versions: 7.2.0 through 7.0.12 (inclusive)
FortiManager 6.4 versions: 6.4.0 through 6.4.14 (inclusive)
CVE-2024-46668
FortiOS 7.4 Versions: 7.4.0 through 7.4.4 (inclusive)
FortiOS 7.2 Versions: 7.2.0 through 7.2.8 (inclusive)
FortiOS 7.0 versions: 7.0.0 through 7.0.15 (inclusive)
FortiOS 6.4 versions: 6.4.0 through 6.4.15 (inclusive)
CVE-2024-46670
FortiOS 7.6 Versions: 7.6.0
FortiOS 7.4 Versions: 7.4.0 through 7.4.4 (inclusive)
FortiOS 7.2 Versions: 7.2.0 through 7.2.9 (inclusive)
CVE-2024-47571
FortiManager 7.4 version: 7.4.0
FortiManager 7.2 Version: 7.2.3
FortiManager 7.0 Versions: 7.0.7 through 7.0.8 (inclusive)
FortiManager 6.4 Version: 6.4.12
CVE-2024-47572
FortiSOAR 7.4 Versions: 7.4.0 through 7.4.1 (inclusive)
FortiSOAR 7.3 Versions: 7.3.0 through 7.3.2 (inclusive)
FortiSOAR 7.2 versions: 7.2.1 through 7.2.2 (inclusive)
CVE-2024-50566
FortiManager Cloud 7.6 Versions: 7.6.0 through 7.6.1 (inclusive)
FortiManager Cloud 7.4 Versions: 7.4.0 through 7.4.4 (inclusive)
FortiManager Cloud 7.2 versions: 7.2.2 through 7.2.7 (inclusive)
FortiManager 7.6 versions: 7.6.0 through 7.6.1 (inclusive)
FortiManager 7.4 versions: 7.4.0 through 7.4.5 (inclusive)
FortiManager 7.2 versions: 7.2.1 through 7.2.8 (inclusive)
Resolved Vulnerabilities
Authentication bypass vulnerability using an alternate path or channel (CVE-2024-55591)
improper limit on excessive authentication attempts vulnerability (CVE-2024-23106)
vulnerability not properly neutralizing special elements of operating system instructions (CVE-2024-27778)
out-of-bounds write vulnerability (CVE-2024-35273)
lack of Authentication for Critical Functions Vulnerability (CVE-2024-35277)
relative Path Traversal Vulnerability (CVE-2024-36512)
unconstrained resource allocation on endpoints (CVE-2024-46668)
out-of-bounds read vulnerability (CVE-2024-46670)
operations on expired or freed resources vulnerability (CVE-2024-47571)
Improper Neutralization of Formula Elements in CSV Files (CVE-2024-47572)
OS Instruction Injection Vulnerability (CVE-2024-50566)
vulnerabilityPatches
Vulnerability patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.
CVE-2024-55591
FortiOS 7.0 version: 7.0.17 and at least
FortiProxy 7.2 version: 7.2.13 or later
FortiProxy 7.0 version: 7.0.20 or later
CVE-2024-23106
FortiClientEMS 7.2 version: 7.2.5 or later
FortiClientEMS 7.0 Version: 7.0.11 or later
FortiClientEMS 6.4 Version: Upgrade to the corrected version
FortiClientEMS Version 6.2: Upgrade to a Revised Version
CVE-2024-27778
FortiSandbox 4.4 version: 4.4.5 or at least
FortiSandbox 4.2 version: 4.2.7 or later
FortiSandbox 4.0 version: 4.0.5 or later
FortiSandbox 3.2 Version: Upgrade to a revised version
FortiSandbox 3.1 Versions: Upgrade to a Revised Version
FortiSandbox 3.0 Versions: Upgrading to a Revised Version
CVE-2024-35273
FortiAnalyzer 7.4 version: 7.4.4 or at least
FortiAnalyzer Cloud 7.4 version: 7.4.3 or at least
FortiManager Cloud 7.4 version: 7.4.3 or later
FortiManager 7.4 version: 7.4.3 or later
CVE-2024-35277
FortiManager Cloud 7.4 version: 7.4.3 or later
FortiManager Cloud 7.2 version: 7.2.7 or later
FortiManager Cloud 7.0 version: 7.0.13 or later
FortiManager 7.4 version: 7.4.3 or later
FortiManager 7.2 version: 7.2.6 or later
FortiManager 7.0 version: 7.2.13 or later
FortiManager 6.4 version: 6.4.15 or later
CVE-2024-36512
FortiAnalyzer 7.4 Version: 7.4.4 or later
FortiAnalyzer 7.2 Version: 7.4.6 or later
FortiAnalyzer 7.0 version: 7.4.13 or later
FortiAnalyzer 6.2 Version: Upgrade to a revised version
FortiManager 7.4 Version: 7.4.3 or later
FortiManager 7.2 Version: 7.2.6 or later
FortiManager 7.0 version: 7.2.13 or later
FortiManager 6.4 version: 6.4.15 or later
CVE-2024-46668
FortiOS 7.4 version: 7.4.5 or later
FortiOS 7.2 version: 7.2.9 or later
FortiOS 7.0 version: 7.0.15 or later
FortiOS 6.4 Versions: 6.4.16 and at least (update coming soon)
CVE-2024-46670
FortiOS 7.6 version: 7.6.1 and at least
FortiOS 7.4 Versions: 7.4.5 and at least
FortiOS 7.2 Versions: 7.2.10 or later
CVE-2024-47571
FortiManager 7.4 version: 7.4.1 or later
FortiManager 7.2 version: 7.2.4 or later
FortiManager 7.0 version: 7.0.9 or later
FortiManager 6.4 version: 6.4.13 or later
CVE-2024-47572
FortiSOAR 7.4 version: 7.4.2 or later
FortiSOAR 7.3 version: 7.3.3 or later
FortiSOAR 7.2 Version: Upgrade to the corrected version
CVE-2024-50566
FortiManager Cloud 7.6 Version: 7.6.2 or later
FortiManager Cloud 7.4 version: 7.4.5 or later
FortiManager Cloud 7.2 version: 7.2.8 or later
FortiManager 7.6 version: 7.6.2 or later
FortiManager 7.4 version: 7.4.6 or later
FortiManager 7.2 version: 7.2.9 or later
References
[1] Authentication bypass in Node.js websocket module
https://fortiguard.fortinet.com/psirt/FG-IR-24-535
[2] EMS console login under brute force attack does not get locked
https://fortiguard.fortinet.com/psirt/FG-IR-23-476
[3] OS command injection
https://fortiguard.fortinet.com/psirt/FG-IR-24-061
[4] Out-of-bounds Write in sndproxy
https://fortiguard.fortinet.com/psirt/FG-IR-24-106
[5] Missing authentication for managed device configuration files
https://fortiguard.fortinet.com/psirt/FG-IR-24-135
[6 ]Arbitrary file write on GUI
https://www.fortiguard.com/psirt/FG-IR-24-152
[7] Multipart Form Data Denial of Service
https://www.fortiguard.com/psirt/FG-IR-24-219
[8] Out of bounds read in ipsec ike
https://fortiguard.fortinet.com/psirt/FG-IR-24-266
[9] Admin Account Persistence after Deletion
https://www.fortiguard.com/psirt/FG-IR-24-239
[10] Improper Neutralization of Formula Elements in a CSV File
https://fortiguard.fortinet.com/psirt/FG-IR-24-210
[11] OS Command Injection
https://www.fortiguard.com/psirt/FG-IR-24-463