Maybe you have already noticed (or maybe you have been informed by our Fortinet Firmware Update mailing list) that Fortinet has released of some new FortiOS patches on Feb. 7, 2024. To be more precise – all Fortinet minor and major versions that are running on Fortigate models that are not EOL yet have been updated: 7.4, 7.2, 7.0, 6.4 and even 6.2 which is end-of-support since September 2023.
We know from experience that it is not a good sign when Fortinet is updating all these versions at the same time. Additionally it’s noteworthy that the release notes for 7.2.7 and 7.4.3 do not contain any resolved issues (as of today, Feb 8, 2024, 1:30 pm CEST).
Even without further information – in this situation we would recommend updating your Fortigate to the latest patch release of the current version soon.
Update Feb. 9, 2024: there are some PSIRT information now. (You want to be informed about new Fortinet PSIRT messages? Subscribe to our newsletter.)
For the “FortiOS – Out-of-bound Write in sslvpnd” (FG-IR-24-015) vulnerability, this is the recommended version to fix this issue:
Version | Affected | Solution |
---|---|---|
FortiOS 7.6 | Not affected | Not Applicable |
FortiOS 7.4 | 7.4.0 through 7.4.2 | Upgrade to 7.4.3 or above |
FortiOS 7.2 | 7.2.0 through 7.2.6 | Upgrade to 7.2.7 or above |
FortiOS 7.0 | 7.0.0 through 7.0.13 | Upgrade to 7.0.14 or above |
FortiOS 6.4 | 6.4.0 through 6.4.14 | Upgrade to 6.4.15 or above |
FortiOS 6.2 | 6.2.0 through 6.2.15 | Upgrade to 6.2.16 or above |
FortiOS 6.0 | 6.0 all versions | Migrate to a fixed release |
For the second vulnerability, “Format string bug” the same applies. FortiOS 6.x is not affected from the “FortiOS – Format String Bug in fgfmd vulnerability” (FG-IR-24-029).
Update Feb 23, 2024: 7.0.14 has been released for the new Fortigate models FG90G/91G and FGT120G.
Additionally we noticed the releases of FortiOS 6.0.18 – unfortunately there are no information in the release notes if the mentioned vulnerabilities from this post have been fixed.