Headline
Critical authentication bug in Fortinet products actively exploited in the wild
Chinese and Russian cyber-spies actively targeting security vulnerability
Chinese and Russian cyber-spies actively targeting security vulnerability
Fortinet is urging customers to patch a critical authentication bypass vulnerability that has already been exploited in the wild.
Earlier this month, the networking vendor patched the bug, CVE-2022-40684, found in its FortiOS network operating system, FortiProxy secure web proxy, and FortiSwitchManager management platform projects.
The vulnerability allows an unauthenticated attacker to add an SSH key to the admin user, enabling potential miscreants to hack the administrative interface using specially crafted HTTP or HTTPS requests.
The issue affects FortiOS versions from 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1, FortiProxy versions from 7.0.0 to 7.0.6 and 7.2.0, and FortiSwitchManager versions 7.0.0 and 7.2.0.
Catch up on the latest network security news and analysis
Customers were notified via email and advised to update vulnerable devices to FortiOS 7.0.7 or 7.2.2 and above, FortiProxy 7.0.7 or 7.2.1 and above, and FortiSwitchManager 7.2.1 or above earlier this month. Those that can’t, said Fortinet, should immediately disable internet-facing HTTPS Administration interfaces.
After the patch was released, Horizon3.ai published proof-of-concept code for exploiting the vulnerability.
“An attacker can use this vulnerability to do just about anything they want to the vulnerable system. This includes changing network configurations, adding new users, and initiating packet captures,” it warned.
“Note that this is not the only way to exploit this vulnerability and there may be other sets of conditions that work. For instance, a modified version of this exploit uses the User-Agent ‘Node.js’.”
Axis of exploit
Meanwhile, cybersecurity firm Cyfirma warned that attackers are scanning for and attempting to exploit the vulnerability in the wild.
“Our intelligence research community observed Iranian and Chinese threat actors abusing the vulnerabilities of Fortinet products,” it said. “The suspected threat actors are US17IRGCorp aka APT34, HAFNIUM, and its affiliates in the ongoing campaign.”
Cyfirma warned that Iranian cybercriminals appear to be colluding with Chinese groups and Russian cybercriminals as part of the campaign, with the aim of supporting Russia’s offensive in Ukraine.
Dark web forum discussions, according to Cyfirms, have focused on exploiting weakness in enterprise networks that rely of Fortinet’s technologies, manipulator-in-the-middle (MITM) attacks, potential ransomware attacks, and lateral movement to hack deeper in the network of compromised organizations.
Patching advice reiterated
In response to the detection of attacks in the wild, Fortinet issued a further advisory, stressing the increased seriousness of the situation.
“Fortinet is aware of instances where this vulnerability was exploited to download the config file from the targeted devices, and to add a malicious super_admin account called ‘fortigate-tech-support’,” it said, before reiterating its advice for customers to update.
However, four days later, it appeared that many affected organizations had still failed to patch their systems, leading to yet another warning from Fortinet.
“After multiple notifications from Fortinet over the past week, there are still a significant number of devices that require mitigation, and following the publication by an outside party of PoC code, there is active exploitation of this vulnerability,” it said.
In a statement for The Daily Swig, the company adds: “As part of our commitment to the security of our customers, we continue to proactively reach out to strongly urge them to immediately follow the guidance provided in our October 10 PSIRT Advisory (FG-IR-22-377), as we continue monitoring the situation.”
RELATED Failed Cobalt Strike fix with buried RCE exploit now patched
Related news
The China-linked threat actor known as Earth Lusca has been observed targeting government entities using a never-before-seen Linux backdoor called SprySOCKS. Earth Lusca was first documented by Trend Micro in January 2022, detailing the adversary's attacks against public and private sector entities across Asia, Australia, Europe, North America. Active since 2021, the group has relied on
Some 340,000 FortiGate SSL VPN appliances remain exposed to the threat more than three weeks after Fortinet released firmware updates to address the issue.
Users urged to apply updates to FortiOS SSL-VPN after attackers may have leveraged a recently discovered vulnerability in attacks against government, manufacturing, and critical infrastructure organizations.
Fortinet FortiOS, FortiProxy, and FortiSwitchManager version 7.2.1 suffers from a authentication bypass vulnerability.
Fortinet on Monday issued emergency patches for a severe security flaw affecting its FortiOS SSL-VPN product that it said is being actively exploited in the wild. Tracked as CVE-2022-42475 (CVSS score: 9.3), the critical bug relates to a heap-based buffer overflow vulnerability that could allow an unauthenticated attacker to execute arbitrary code via specially crafted requests. The company said
The vulnerability, disclosed In October, gives an unauthenticated attacker a way to take control of an affected product.
By Waqas The flaw is tracked as CVE-2022-40684 in FortiOS, while its exploit is being sold on a popular Russian hacker forum. This is a post from HackRead.com Read the original post: Critical Flaw Exploited to Bypass Fortinet Products and Compromise Orgs
This Metasploit module exploits an authentication bypass vulnerability in the Fortinet FortiOS, FortiProxy, and FortiSwitchManager API to gain access to a chosen account and then adds an SSH key to the authorized_keys file of the chosen account, allowing you to login to the system with the chosen account. Successful exploitation results in remote code execution.
An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
The authentication bypass flaw in FortiOS, FortiProxy and FortiSwitchManager is easy to find and exploit, security experts say.
A proof-of-concept (PoC) exploit code has been made available for the recently disclosed critical security flaw affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager, making it imperative that users move quickly to apply the patches. "FortiOS exposes a management web portal that allows a user to configure the system," Horizon3.ai researcher James Horseman said. "Additionally, a user can
Fortinet on Monday revealed that the newly patched critical security vulnerability impacting its firewall and proxy products is being actively exploited in the wild. Tracked as CVE-2022-40684 (CVSS score: 9.6), the flaw relates to an authentication bypass in FortiOS, FortiProxy, and FortiSwitchManager that could allow a remote attacker to perform unauthorized operations on the administrative
Fortinet has privately warned its customers of a security flaw affecting FortiGate firewalls and FortiProxy web proxies that could potentially allow an attacker to perform unauthorized actions on susceptible devices. Tracked as CVE-2022-40684, the high-severity flaw relates to an authentication bypass vulnerability that could permit an unauthenticated adversary to perform arbitrary operations on
The bug is under active exploitation; Fortinet issued a customer advisory urging customers to apply its update immediately.