Headline
Concerns Over Fortinet Flaw Mount; PoC Released, Exploit Activity Grows
The authentication bypass flaw in FortiOS, FortiProxy and FortiSwitchManager is easy to find and exploit, security experts say.
Concerns over a critical authentication bypass vulnerability in certain Fortinet appliances heightened this week with the release of proof-of-concept (PoC) exploit code and a big uptick in vulnerability scans for the flaw.
The bug (CVE-2022-40684) is present in multiple versions of Fortinet’s FortiOS, FortiProxy and FortiSwitchManager technologies. It allows an unauthenticated attacker to gain administrative access to affected products via specially crafted HTTPS and HTTP requests, and potentially use that as entry point to the rest of the network.
Bharat Jogi, director of vulnerability threat research at Qualys says researchers at the company have observed mass scans being carried out by various threat actors to identify Internet facing vulnerable systems for compromise.
“They are compromising these systems to create a super_admin user which provides them with complete access and control,” Jogi says. “Once this level of access is achieved, they have the ability to delete any trace of their successful exploitation attempt, making it difficult for organizations to track compromised assets in their environment.”
If this flaw is successfully exploited, an attacker would have complete access to the organization’s internal systems that were previously protected by Fortinet’s firewalls, he says. “Having a compromised firewall is like laying out a red carpet for threat actors to stroll right into your organization’s environment,” Jogi notes.
Added to CISA’s Known Exploited Vulnerabilities Catalog
The US Cybersecurity and Infrastructure Security Agency (CISA) earlier this week added the vulnerability to its Known Exploited Vulnerabilities catalog. Federal executive branch agencies—which are required to remediate vulnerabilities in the catalog within specific deadlines—have until Nov. 1 to address it. Though the deadline applies only to federal agencies, security experts have previously noted how it is a good idea for all organizations to monitor the vulnerabilities in the catalog and follow CISA’s deadline for implementing fixes.
Fortinet privately notified customers of the affected products about the vulnerability last Friday, along with instructions to immediately update to patched versions of the technology the company had just released. It advised companies that could not update for any reason to immediately disable Internet-facing HTTPS administration until they could upgrade to the patched versions.
“Due to the ability to exploit this issue remotely, Fortinet is strongly recommending all customers with the vulnerable versions to perform an immediate upgrade,” Fortinet said in its private notification, a copy of which was posted on Twitter the same day.
Fortinet followed up with a public vulnerability advisory on Monday describing the flaw and warning customers of potential exploit activity. The company said it was aware of instances where attackers had exploited the vulnerability to download the configuration file from affected systems and to add a malicious super_admin account called "fortigate-tech-support".
Since then, penetration testing from Horizon3.ai has released proof-of-concept code for exploiting the vulnerability along with a technical deep dive of the flaw. A template for scanning for the vulnerability has also become available on GitHub.
Exacerbating the concerns is the relatively low bar for exploiting the flaw. “This vulnerability is extremely easy for an attacker to exploit. All that is required is access to the management interface on a vulnerable system,” Zach Hanley, chief attack engineer at Horizon3.ai, tells Dark Reading
Increase in Scanning Activity for the Flaw
Qualys isn’t the only company observing increased vulnerability scanning for the flaw. James Horseman, exploit developer at Horizon3.ai says public data from GreyNoise—which tracks Internet scanning activity hitting security tools—shows the number of unique IPs using the exploit has grown from the single digits a few days ago, to over forty as of Oct. 14.
“We expect the number of unique IPs using this exploit to rapidly increase in the coming days,” Horseman says. It is not hard for attackers to find vulnerable systems, he adds: A Shodan search for instance shows more than 100,000 Fortinet systems worldwide.
“Not all of these will be vulnerable, but a large percentage will be,” Horseman says.
Johannes Ullrich, dean of research at the SANS Institute, says he has observed scans associated with an older FortiGate vulnerability (CVE-2018-13379,) hitting SANS’ honeypots in the days following disclosure of the new bug. He says there are two theories why that might be happening.
One of them is that an attacker may have tried to catch as many devices as possible that had not yet been patched for the old vulnerability. Given the attention the new vulnerability has gotten it is likely the old vulnerability will get patched as well now, he says.
“Or the attacker was trying to find Fortinet devices to exploit using the new vulnerability once it is available,” he theorizes. “The old vulnerability scanner they had sitting on the shelf may still work to identify Fortinet devices.”
A Popular Attacker Target
Concerns over vulnerabilities in Fortinet products are not new. The company’s technologies—and those of others selling similar appliance—have been frequently targeted by attackers trying to gain an initial foothold on target network.
Last November. The FBI, CISA and others issued an advisory warning of Iranian advanced persistent threat actors exploiting vulnerabilities in Fortinet and Microsoft products. A similar alert in April 2021 warned of attackers exploiting flaws in FortiOS to break into multiple government, commercial, and technology services.
“These vulnerable devices are often edge devices, so an attacker could potentially use this vulnerability to gain access to an organization’s internal networks to launch further attacks,” Hanley says.
Fortinet itself has recommended that organizations that are able to, must update to the newly patched versions of FortiOS, FortiProxy and FortiSwitch Manager. For organizations that cannot immediately update, Fortinet has provided guidance on how to disable the HTTP/HTTPS interface or limit IP addresses that can reach the administrate interface of the affected products.
Hanley says organizations sometimes may not be able to patch due to the potential downtime associated with updating a device. “However, an organization should be able to apply [the] workaround to prevent this vulnerability from being exploited on unpatched machines by following Fortinet’s guidance.”
Qualys’ Jogi adds, “It is also crucial to review any attempts of exploit to identify systems that may have already been compromised. If an organization is unable to patch their systems, then they must disable the system admin interface immediately.”
Related news
Based on a comprehensive review of more than a dozen prominent ransomware groups, we identified several commonalities in TTPs, along with several notable differences and outliers.
The threat actors behind the Play ransomware are estimated to have impacted approximately 300 entities as of October 2023, according to a new joint cybersecurity advisory from Australia and the U.S. "Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data and have impacted a wide range of businesses and critical infrastructure organizations in North
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging manufacturers to get rid of default passwords on internet-exposed systems altogether, citing severe risks that could be exploited by malicious actors to gain initial access to, and move laterally within, organizations. In an alert published last week, the agency called out Iranian threat actors affiliated with
Two other vulnerabilities that Microsoft is fixing Tuesday — CVE-2023-36563 in Microsoft WordPad and CVE-2023-41763 in the Skype communication platform — have already been publicly exploited in the wild and have proof-of-concept code available.
Categories: Exploits and vulnerabilities Categories: News Tags: Zoho ManageEngine Tags: CVE-2021-40539 Tags: Log4Shell Tags: CVE-2021-44228 Tags: CVE-2021-13379 Tags: ProxyShell Tags: CVE-2021-34473 Tags: CVE-2021-31207 Tags: CVE-2021-34523 Tags: CVE-2021-26084 Tags: Atlassian Tags: CVE-2022-22954 Tags: CVE-2022-22960 Tags: CVE-2022-26134 Tags: CVE-2022-1388 Tags: CVE-2022-30190 Tags: Follina What can the routinely exploited vulnerabilities of 2022 tell us, and what do we think will make it on to next year's list? (Read more...) The post 2022's most routinely exploited vulnerabilities—history repeats appeared first on Malwarebytes Labs.
A four-year-old critical security flaw impacting Fortinet FortiOS SSL has emerged as one of the most routinely and frequently exploited vulnerabilities in 2022. "In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems," cybersecurity and intelligence agencies from the Five
Some 340,000 FortiGate SSL VPN appliances remain exposed to the threat more than three weeks after Fortinet released firmware updates to address the issue.
Fortinet FortiOS, FortiProxy, and FortiSwitchManager version 7.2.1 suffers from a authentication bypass vulnerability.
Fortinet on Monday issued emergency patches for a severe security flaw affecting its FortiOS SSL-VPN product that it said is being actively exploited in the wild. Tracked as CVE-2022-42475 (CVSS score: 9.3), the critical bug relates to a heap-based buffer overflow vulnerability that could allow an unauthenticated attacker to execute arbitrary code via specially crafted requests. The company said
The vulnerability, disclosed In October, gives an unauthenticated attacker a way to take control of an affected product.
By Waqas The flaw is tracked as CVE-2022-40684 in FortiOS, while its exploit is being sold on a popular Russian hacker forum. This is a post from HackRead.com Read the original post: Critical Flaw Exploited to Bypass Fortinet Products and Compromise Orgs
While the ransomware-for-hire group works to create ever more efficient exploits, companies can protect themselves with structured vulnerability management processes. Prioritize threats based on severity and risk.
Chinese and Russian cyber-spies actively targeting security vulnerability
This Metasploit module exploits an authentication bypass vulnerability in the Fortinet FortiOS, FortiProxy, and FortiSwitchManager API to gain access to a chosen account and then adds an SSH key to the authorized_keys file of the chosen account, allowing you to login to the system with the chosen account. Successful exploitation results in remote code execution.
An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
A proof-of-concept (PoC) exploit code has been made available for the recently disclosed critical security flaw affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager, making it imperative that users move quickly to apply the patches. "FortiOS exposes a management web portal that allows a user to configure the system," Horizon3.ai researcher James Horseman said. "Additionally, a user can
Fortinet on Monday revealed that the newly patched critical security vulnerability impacting its firewall and proxy products is being actively exploited in the wild. Tracked as CVE-2022-40684 (CVSS score: 9.6), the flaw relates to an authentication bypass in FortiOS, FortiProxy, and FortiSwitchManager that could allow a remote attacker to perform unauthorized operations on the administrative
Fortinet has privately warned its customers of a security flaw affecting FortiGate firewalls and FortiProxy web proxies that could potentially allow an attacker to perform unauthorized actions on susceptible devices. Tracked as CVE-2022-40684, the high-severity flaw relates to an authentication bypass vulnerability that could permit an unauthenticated adversary to perform arbitrary operations on
The bug is under active exploitation; Fortinet issued a customer advisory urging customers to apply its update immediately.
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Wednesday announced sweeping sanctions against ten individuals and two entities backed by Iran's Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks at least since October 2020. The agency said the cyber activity mounted by the individuals is partially attributable to intrusion sets tracked
The attack on Israeli organizations is the latest in a long line of attempts to compromise supply chains, as the APT looks to leverage that access to target a multitude of potential victims.
Microsoft on Thursday said it took steps to disable malicious activity stemming from abuse of OneDrive by a previously undocumented threat actor it tracks under the chemical element-themed moniker Polonium. In addition to removing the offending accounts created by the Lebanon-based activity group, the tech giant's Threat Intelligence Center (MSTIC) said it suspended over 20 malicious OneDrive
By Deeba Ahmed Cobalt Mirage is an Irani threat group believed to be linked to the Iranian Cobalt Illusion threat group,… This is a post from HackRead.com Read the original post: Iran’s COBALT MIRAGE Threat Group Behind Ransomware Attacks in US