Users urged to apply updates to FortiOS SSL-VPN after attackers may have leveraged a recently discovered vulnerability in attacks against government, manufacturing, and critical infrastructure organizations.

Attackers may have exploited a flaw in Fortinet's FortiOS SSL-VPN in "a limited number of cases" that affected users in government, manufacturing, and critical infrastructure sectors.

Fortinet issued a fix for the vulnerability, tracked as CVE-2023-27997/FG-IR-23-097) and rated as critical, that it's urging customers to apply as they "monitor the situation," the company said in a blog post published this week.

Exploitation of the flaw can produce "data loss and OS and file corruption" for victims, which is why it's imperative for customers affected to update systems, according to Fortinet.

"If the customer has SSL-VPN enabled, Fortinet is advising customers to take immediate action to upgrade to the most recent firmware release," Carl Windsor, Fortinet's senior vice president, product technology, wrote in the post. "If the customer is not operating SSL-VPN the risk of this issue is mitigated — however, Fortinet still recommends upgrading."

The heap-based buffer overflow, pre-authentication vulnerability affects FortiOS and FortiProxy SSL-VPN and can allow unauthenticated attackers to gain remote code execution (RCE) via maliciously crafted requests, according to Fortinet. FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5 — released by the vendor on Friday — patch the vulnerability.

Fortinet found the flaw in an audit of its SSL-VPN platform after the rampant exploitation of another vulnerability, CVE-2022-42475 — which upon discovery was a zero-day bug — in January.

"This audit, together with a responsible disclosure from a third-party researcher, led to the identification of certain issues that have been remediated in the current firmware releases," Windsor wrote.

**Potential Links to Volt Typhoon**

Though attackers used a previously identified Fortinet vulnerability — FG-IR-22-377/CVE-2022-40684 — in the recently discovered Volt Typhoon campaign against US criticial infrastructure targets, Fortinet so far is not conclusively linking CVE-2023-27997 to this series of attacks, the company said in the post.

However, Fortinet claimed this does not preclude its use in the campaign, whether it's currently being exploited, or if attackers will leverage it in the future.

"Fortinet expects all threat actors, including those behind the Volt Typhoon campaign, to continue to exploit unpatched vulnerabilities in widely used software and devices," Windsor wrote.

Discovered by Microsoft, Volt Typhoon is a series of attacks in which China-sponsored threat actors established persistent access within telecom networks and other critical infrastructure targets in the US.

Volt Typhoon attackers used CVE-2022-40684 — an authentication bypass vulnerability found in Fortinet FortiOS and FortiProxy — for initial access, Fortinet confirmed. Indeed, Internet-facing Fortinet devices are a popular target for various threat actors as a way to gain a foothold into enterprise networks.

Specifically, Fortinet researchers discovered admin accounts named "fortinet-tech-support" and "fortigate-tech-support" in customer devices related to the Volt Typhoon campaign, the company said.

"Our own research, conducted in collaboration with our customers, has identified that the Volt Typhoon campaign uses a variety of tactics, techniques, and procedures (TTPs) to gain access to networks, including a widely used technique known as 'living off the land' to evade detection," Windsor wrote.

**Mitigations Beyond Patching**

While applying product updates is the key way to avoid compromise, Fortinet made other suggestions to help affected organizations resolve the issue. One is to review systems for evidence of exploitation of previous Fortinet vulnerabilities, such as the one exploited by Volt Typhoon, the company said.

Minimizing the attack surface by disabling unused features and managing devices via an out-of-band method wherever possible can also help companies avoid being targeted in attacks that exploit existing vulnerabilities, according to Fortinet.

Fortinet: Patched Critical Flaw May Have Been Exploited

.NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability

CVE-2023-24897

NuGet Client Remote Code Execution Vulnerability

CVE-2023-29337

.NET Framework Remote Code Execution Vulnerability

CVE-2023-29326

CVE-2023-24895

Microsoft Exchange Server Remote Code Execution Vulnerability

CVE-2023-32031

CVE-2023-28310

Directory traversal vulnerability in ujcms 6.0.2 allows attackers to move files via the rename feature.

\[Vulnerability description\]  
The Remote Code Execution (RCE) vulnerability exists in ujcms v6.0.2, when the project is partially configured on Linux using Tomcat, attackers can use path traversal and arbitrary file uploads to execute arbitrary code.

\[Vulnerability Type\]  
Remote Code Execution (RCE)

\[Vendor of Product\]  
https://gitee.com/ujcms/ujcms  
https://github.com/ujcms/ujcms  
https://www.ujcms.com/

\[Affected Product Code Base\]  
v6.0.2

\[Vulnerability proof\]  
The code restricts the access and execution of jsp and jspx files, but it exists in any path and any file upload, so you can upload a web.xml file and add a jsp resolvable suffix, such as abc

    <servlet-mapping>
        <servlet-name>jsp</servlet-name>
        <url-pattern>*.abc</url-pattern>
    </servlet-mapping>
    

Condition: It needs to be deployed with tomcat on Linux, and the configuration file cannot be overwritten on Windows, and File.renameTo is used

1.  Upload web.xml  
    Download an initial configuration file web.xml of tomcat, and add the above configuration in the following location  
      
    Upload the web.xml file to the uploads directory first, and use the path id to indicate it when uploading, and the path cannot be traversed  
      
    Rename, the capture package can traverse the path at the file name, and overwrite the original web.xml  
    
2.  Upload the Trojan horse  
    Upload a Trojan horse and execute the ping command. At this time, the uploaded suffix cannot be the custom analytical suffix above. You can upload any suffix and rename it later, otherwise the upload will not succeed  
      
    The upload suffix is ​​abc1  
      
    Renamed to ../../123.abc, the path traverses to the root directory  
      
    Visit 123.abc and successfully trigger rce  
    

\[Code Details\]

1.  Upload  
    Track the rename interface, find that the parameters are being passed to doUpload, and verify the suffix at the upload  
    com.ujcms.cms.core.web.backendapi.AbstractUploadController#doUpload  
      
    The suffix can be uploaded without any problem.
    
2.  Rename  
    com.ujcms.cms.core.web.backendapi.AbstractWebFileController#rename is the same as upload, it has checkName to verify the file name, enter here to view the code  
      
    com.ujcms.cms.core.web.backendapi.AbstractWebFileController#checkName(java.lang.String) Check the file name, when both meet  
    (1) The file name is empty  
    (2) The file name contains illegal characters  
    an exception is thrown, but the first condition is always false, and the conditions cannot be met at the same time, so this verification will always be bypassed, so it can be executed, and then any file can be renamed and uploaded.  
      
    So there is a problem with the judgment logic here, it should be || instead of &&, which leads to the failure of the security check in this place. Of course, this is also the reason why it can be used successfully.  
    After passing the verification of this block, use File.renameTo in com.ujcms.util.file.LocalFileHandler#rename to rename the file.  
      
    renameTo cannot overwrite files in Windows, but can overwrite and create directories in Linux, so this vulnerability can only be exploited in Linux.

CVE-2023-34865: There is a remote code execution (RCE) vulnerability exists in ujcms v6.0.2 · Issue #5 · ujcms/ujcms

The June 2023 Patch Tuesday security update included fixes for a bypass for two previously addressed issues in Microsoft Exchange and a critical elevation of privilege flaw in SharePoint Server.

Microsoft’s Patch Tuesday security update for June 2023 contains patches for 69 vulnerabilities across its suite of products and software. Some of the fixed flaws were originally submitted to the Zero Day Institute during the Pwn2Own competition earlier this year in Vancouver.

Microsoft identified a total six of the bugs it fixed this month as being of critical severity and 62 as important. Just one is rated moderate in severity. For the first time in months, Microsoft did not disclose any zero-days, vulnerabilities that are already under active attack.

**Prioritizing Patches for Critical Bugs**

The security updates address issues in Microsoft Windows and Windows Components, Office and Office Components, Exchange Server, Microsoft Edge (Chromium), SharePoint Server, .NET and Visual Studio, Microsoft Teams, Azure DevOps, Microsoft Dynamics, and the Remote Desktop Client.

The critical elevation of privilege vulnerability in Microsoft SharePoint Server (CVE-2023-29357) was one of the bugs chained together in a successful exploit during the Pwn2Own competition, Dustin Childs, researcher with Trend Micro's Zero Day Initiative (ZDI), wrote in a blog post. Attackers have a chance at gaining administrator privileges on the SharePoint Server if they have spoofed JSON Web Token (JWT) authentication tokens — all without requiring any user interaction. Both SharePoint Enterprise Server 2016 and SharePoint Server 2019 are vulnerable.

Microsoft recommended that on-premises customers enable the AMSI feature. Childs said ZDI's team had not yet tested the workaround but said that the "best bet is to test and deploy the update as soon as possible."

The three remote code execution vulnerabilities in the Windows Pragmatic General Multicast (PGM) server environment (CVE-2023-20363, CVE-2023-32014, CVE-2023-32015) all have the same base severity score of 9.8 — and this is the third month that Microsoft is addressing critical severity flaws in PGM. A remote, unauthenticated attacker could send a specially crafted file over the network and execute malicious code in a Windows PGM server environment where the Windows message queuing service is running. Even though PGM is not enabled by default, many organizations have PGM in their environment since it is a protocol used for reliable multicast data delivery in Windows. PGM is commonly used in applications like video streaming and online gaming.

The fact that the attacker does not need to be authenticated makes this a particularly dangerous issue. As a temporary workaround, administrators can check if Message Queuing service is running on TCP port 1801 and disable it if not needed. Mitigations should not be considered substitutes for patching, as attackers can figure out ways to bypass the workaround and still exploit the vulnerability.

The other two critical vulnerabilities to prioritize are the remote code execution flaw in .NET, .NET Framework, and Visual Studio (CVE-2023-24897), and the denial-of-service vulnerability in Windows Hyper-V (CVE-2023-32013).

**Prioritize the "More Likely" to Be Exploited Ones, Too**

There are several vulnerabilities researchers recommend prioritizing as Microsoft considers them "more likely" to be exploited. The remote code execution vulnerability in Microsoft Exchange Server (CVE-2023-28310) would allow an authenticated attacker on the same intranet as the Exchange Server to launch to a PowerShell remote session to arbitrarily execute code.

Another remote code execution vulnerability in Exchange (CVE-2023-32031) could allow authenticated attackers on the Exchange server to execute malicious code with SYSTEM privileges. This vulnerability is a bypass of two previously fixed vulnerabilities (CVE-2022-41082 was a zero-day flaw disclosed last September and patched in November, and CVE-2023-21529 patched in Feburary). While successfully exploiting this flaw can gain SYSTEM privileges, this is not a critical-severity flaw because the attacker needs to already have an account on the Exchange server. CVE-2022-41082 is one of two so-called "ProxyNotShell" flaws in Exchange Server and has been used in ransomware attacks in the past.

Organizations need to prioritize fixing both Exchange vulnerabilities because attackers can chain these flaws as part of a larger campaign where they steal credentials or gain elevated privileges on the network.

Two other elevation of privilege vulnerabilities — one in the Windows graphics device interface (GDI) and the other in the Windows Win32k kernel driver — lets attackers gain SYSTEM privileges.

Microsoft Fixes 69 Bugs, but None Are Zero-Days

An update for .NET 7.0 is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2023-24936: No description is available for this CVE.
* CVE-2023-29331: No description is available for this CVE.
* CVE-2023-29337: No description is available for this CVE.
* CVE-2023-32032: .NET and Visual Studio Elevation of Privilege Vulnerability
* CVE-2023-33128: .NET and Visual Studio Remote Code Execution Vulnerability


Tag

#rce