Critical FortiOS vulnerabilities

The CSSF has been made aware of recent critical FortiOS vulnerabilities in sslvpnd and fgfmd, CVE-2024-21762 and CVE-2024-23113. These vulnerabilities allow a remote unauthenticated attacker to execute arbitrary code or command.

CIRCL, the Computer Incident Center Luxembourg, published a technical report on this subject, including recommendations, available at this URL: https://circl.lu/pub/tr-81/.

The CSSF strongly recommends all supervised entities concerned to take duly note of this report and to take actions as appropriate.

Name	Description	Duration
cssf_cookies	Saves information regarding the user's consent to the use of cookies for each optional category.	1 year
ROUTEID	Technical cookie allowing load distribution.	Deleted when the browsing session ends
TBMCookie*	Security: This cookies protects the website against automated attacks.	Deleted when the browsing session ends
__utmvc	These first party cookies are set by a third party service to filter out malicious requests.	Deleted when the browsing session ends
__utmvm*	These first party cookies are set by a third party service to filter out malicious requests.	15 minutes

Name	Description	Duration
cssf_profile	This cookie adapts the website pages to the profile chosen by the visitor (professionals, markets, consumers).	1 year
pll_language	This cookie saves the user’s language choice.	1 year

Name	Description	Duration
_pk_id.#	Collects anonymous statistical data on the website consultations, such as the number of visits or the average time spent on the website. The data is processed in-house and is not shared with a third party.	1 year
_pk_ses.#	Collects anonymous statistical data for the tracking of the pages consulted during the browsing session. The data is processed in-house and is not shared with a third party.	30 minutes