Headline

CVE-2021-44168: Fortiguard

A download of code without integrity check vulnerability in the “execute restore src-vis” command of FortiOS before 7.0.3 may allow a local authenticated attacker to download arbitrary files on the device via specially crafted update packages.

2 years ago

CVE

Open in Source

#vulnerability #ios

PSIRT Advisories

FortiOS - Removal of `restore src-vis` command.

Summary

A download of code without integrity check vulnerability [CWE-494] in the “execute restore src-vis” command of FortiOS may allow a local authenticated attacker to download arbitrary files on the device via specially crafted update packages.

Exploitation Status:

Fortinet is aware of an instance where this vulnerability was abused and recommends immediately validating your systems for indicators of compromise:

Unexpected files on the FortiGate Device (list files with `fnsysctl ls`)
- /data2/virc.dat
- /data2/vire
- /data2/vire.tar.gz
- /data2/vire.tar
- /data2/vird
- /data2/gettd
- /data2/smartctll
- /data2/ftar
- /data2/reportnd
- /data2/llpdtd
- /data2/flcfgt
- /data2/viree/vire/inject
- /data2/viree/vire/insmod
- /data2/viree/vire/hack.o
- /data2/viree/vire/libips.so
- /bin/lldptd
- /data/lib/libipsx.so
- /data2/viree/vire/ld.so.preload
- /etc/ld.so.preload
Unexpected processes running on the FortiGate device
- The following unexpected processes were found to be running on the device when running `fnsysctl ps`:
  - 30892 0 0 S ash -c /bin/flcfgt>/data2/44.txt 2>&1
  - 30068 0 0:00 {smartctl} ash -c /data2/smartctl ps>/data2/17.txt 2>
Unexpected traffic sourced from the FortiGate device
- Traffic has been observed to the following C&C servers on port 7443 (Plaintext HTTP):
  - 192.46.213.244
  - 172.105.181.67