Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
amatos
Staff
Staff

Created on ‎08-22-2024 10:06 AM

Article Id 335602

Technical Tip: Blocking ServiceNow Remote Code Execution Attack in FortiGate

Description

This article describes how to block the 'ServiceNow Remote Code Execution' attack with FortiGate.
ServiceNow recently disclosed this vulnerability in its software.
Scope FortiGate, Intrusion Prevention.
Solution

There is already a newly created signature which handles the block of the 3 CVEs involved to this attack. The CVEs are CVE-2024-4879, CVE-2024-5217, CVE-2024-5178. More information is disclosed in the corresponding FortiGuard encyclopedia article.

 

In order to block this attack via FortiGate, it is necessary to add the 'ServiceNow.jvar_page_title.Jelly.Remote.Code.Execution' signature in the Intrusion Prevention profile. For this attack, the default action is 'Block'. In this example, it was used on FortiGate in firmware 7.0.15. 


Service_Now_1.PNG

 

After, apply the Intrusion Prevention profile in a Firewall Policy which handles traffic to and from this application:

Service_Now_2.PNG

 

If the signature is not shown in the FortiGate Intrusion Prevention profile, run the following command to update the IPS database:

execute update-now
103
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.