Fortinet, Ivanti, and Intel Patch High-Severity RCE Vulnerabilities

In a coordinated series of security advisories, major technology vendors Fortinet, Ivanti, and Intel have disclosed multiple high-severity vulnerabilities that could lead to RCE, Privilege Escalation, or authentication bypass. According to SecurityWeek, these updates address flaws that pose significant risks to both edge infrastructure and endpoint security.

Fortinet FortiClient Linux RCE Mitigation and Technical Analysis

Fortinet has released a fix for a high-severity stack-based buffer overflow vulnerability, identified as CVE-2024-36513. This CVE carries a CVSS score of 7.3 and affects the FortiClient for Linux endpoint agent. The vulnerability exists within the FortiClient Linux epvpn daemon, where the application fails to properly validate the length of input data before copying it to a fixed-size stack buffer.

An unauthenticated, remote attacker could exploit this flaw by sending specially crafted packets to the vulnerable service, potentially leading to arbitrary code execution with the privileges of the daemon. Because FortiClient is often a prerequisite for secure network access, compromising the client represents a direct threat to the integrity of the encrypted tunnel. The recommended Fortinet FortiClient Linux RCE mitigation is to upgrade to version 7.2.2 or 7.4.1 or higher. This flaw highlights the persistent risk that unauthenticated overflows pose to remote access software, which remains a primary target for APT groups seeking an initial foothold.

Ivanti Connect Secure CVE-2024-37375 Patch Details

Ivanti has also addressed critical security gaps in its Connect Secure (ICS) and Policy Secure (IPS) gateways. The most significant vulnerabilities, CVE-2024-37375 and CVE-2024-37377, are both rated with a CVSS score of 7.2. These vulnerabilities involve memory corruption issues that allow a remote attacker with admin privileges to cause a denial-of-service or execute arbitrary code.

While the requirement for administrative privileges provides some defense-in-depth, the history of Ivanti exploitation shows that attackers frequently chain authentication bypasses with post-authentication RCE. Consequently, applying the Ivanti Connect Secure CVE-2024-37375 patch should be a high priority for organizations utilizing these gateways for remote work. Additionally, Ivanti addressed CVE-2024-37373, a medium-severity bug that could allow an attacker to bypass certain security restrictions during the authentication process.

Intel Thunderbolt Driver Privilege Escalation and Hardware Advisories

Intel’s massive security update cycle included 41 separate advisories covering a wide array of software and hardware products. A notable high-severity vulnerability is CVE-2024-24968, which affects certain Intel Thunderbolt controllers. This flaw could enable an authenticated user to achieve Privilege Escalation via local access, making it a target for attackers who have already established a low-privileged presence on a system.

Additional updates were issued for the Intel OneMono software (CVE-2024-21841) and Intel Battery Management software (CVE-2024-23910). These flaws similarly facilitate unauthorized privilege gains. Because these drivers interact closely with the kernel and hardware layers, they are often beyond the visibility of standard EDR solutions, making firmware and driver hygiene a critical component of a Zero Trust security model.

Defensive Recommendations

To mitigate these threats, the SOC should prioritize the following actions:

• Audit Endpoint Versions: Identify all Linux endpoints running FortiClient and ensure they are updated to version 7.4.1 or 7.2.2 to prevent remote overflows.
• Gateway Maintenance: Apply the latest firmware updates to Ivanti ICS and IPS appliances immediately. Monitor logs for any unusual administrative activity that might indicate an attempt to exploit memory corruption flaws.
• Driver Management: Use centralized deployment tools to push the latest Intel Thunderbolt and chipset drivers. Many organizations overlook hardware-level vulnerabilities, leaving a path open for persistent local escalation.
• Monitor for IoCs: Review IoC feeds for any signatures related to the exploitation of these specific CVEs, particularly in the context of VPN service crashes or unexpected daemon restarts.