CISA has added vulnerabilities in Fortinet and Ivanti products to its Known Exploited Vulnerabilities (KEV) catalogue, highlighting the active exploitation of these flaws. Fortinet's vulnerabilities include a format string issue that allows remote code execution, while Ivanti's involve SQL injection and command injection in its Cloud Services Application (CSA). Both vendors recommend urgent patching to mitigate these risks, but alternative workarounds are available for those who cannot immediately apply fixes.

Ivanti is a software company that provides IT asset and service management, unified endpoint management, and cybersecurity solutions. The company’s solutions help organisations secure and manage devices, infrastructure, and service interactions across hybrid work environments.

Technical: Ivanti’s product lineup includes systems for managing remote access, patching vulnerabilities, and securing endpoints. Ivanti's Cloud Services Appliance (CSA), which facilitates secure remote connections, plays a critical role in providing a secure-by-design environment.

Functional: Ivanti's CSA ensures that administrators can manage devices remotely while maintaining robust security protocols, even when facing issues like SQL injection or OS command injection vulnerabilities.

Key Notes:

• Fortinet Vulnerabilities: Disclosed in February, the format string vulnerability (CVE-2024-23113) affects several Fortinet products, including FortiOS and FortiProxy, allowing remote attackers to execute commands.
• Ivanti Vulnerabilities: The vulnerabilities (CVE-2024-9379, CVE-2024-9380, CVE-2024-8963) in Ivanti’s CSA allow attackers to perform SQL injections and command injections. These flaws particularly affect the end-of-life CSA 4.6, but CSA 5.0 has no recorded exploits.
• Mitigations: Fortinet and Ivanti recommend urgent patching, with workarounds available if patches can’t be immediately applied.
• Security Focus: Ivanti also recommends reviewing system logs and implementing a layered security approach, including Endpoint Detection and Response (EDR) tools.

Administrators should prioritise patching affected Fortinet and Ivanti products to mitigate vulnerabilities. For systems where patching is not immediately possible, applying temporary mitigations (such as removing fgfm access in Fortinet or reviewing CSA user logs) is critical to reduce attack exposure.

Given the active exploitation of vulnerabilities in Fortinet and Ivanti products, organisations should:

• Patch immediately where possible.
• Implement temporary workarounds if patching is delayed.
• Review logs for signs of exploitation.
• Use a layered defence strategy, particularly for edge devices.
• Ensure security tools like EDR are installed and monitored.

Source and further reading.

Jones, C. (2024, October 10). CISA adds fresh Ivanti vuln, critical Fortinet bug to hall of shame. The Register. https://www.theregister.com/2024/10/10/cisa_ivanti_fortinet_vulns/

Vulnerabilities in Fortinet products. (2024, November 4). https://cert.europa.eu/publications/security-advisories/2024-036/