Fortinet has revealed vulnerabilities in its FortiOS, FortiProxy, FortiClient Linux, and FortiClient Mac products, including a critical one that could allow remote code execution. This critical flaw, identified as CVE-2023-45590, has a high severity score and could enable an attacker to execute arbitrary code by tricking a user into visiting a malicious website. Other high-severity issues affect FortiOS and FortiProxy, where credentials are not adequately protected. A specific flaw (CVE-2023-41677) might allow an attacker to steal the administrator cookie under certain conditions. Additionally, FortiClientMac has vulnerabilities due to a lack of configuration file validation. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory warning about the potential for cyber threat actors to exploit these vulnerabilities.
New Fortinet zero-day:
CVE-2024-21762 (9.6 critical) FortiOS - Out-of-bound Write in sslvpnd: A out-of-bounds write vulnerability [CWE-787] in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests.
Note: This is potentially being exploited in the wild.
Fortinet vulnerabilities have historically been targeted by People’s Republic of China (PRC) state-sponsored cyber actors. On 19 January 2023, Mandiant reported the exploitation of FortiOS SSL VPN vulnerability CVE-2022-42475 as a zero-day by suspected Chinese threat actors. Mandiant published a subsequent blog post on 16 March 2023 detailing the exploitation of another FortiOS zero-day CVE-2022-41328 by the Chinese threat actor UNC3886. CISA, FBI and NSA assess that PRC state-sponsored cyber actors are seeking to position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States. CISA’s joint cybersecurity advisory on 07 February 2024 states that Chinese Advanced Persistent Threat (APT) Volt Typhoon likely obtained initial access by exploiting CVE-2022-42475 in a network perimeter FortiGate 300D firewall that was not patched. Fortinet also provided case studies of Volt Typhoon targeting of manufacturing, consulting, local government, and internet service provider sectors, and post-exploitation activity described as Living Off the Land (LotL) techniques.
Anyone with an internet-facing #fortinet#fortigate: I would recommend updating to the latest version of #fortiOS (released a couple of hours ago). Feels like something nasty coming up there...
If you work in #infosec I suggest you read the above, even if just to get a feel for what we are collectively up against. No fluffy or whitepaper stuff, I promise.
Then, if you have any device running #FortiOS anywhere, especially if the Chinese government might be interested in anything you do, dump a diskimage of the device(s) (with a virtual device this would be easy, I haven't found info on how to do this from a device) and head over to https://github.com/JSCU-NL/COATHANGER to at least run the checks. There is also some live checking you could do; See the report.
Pass anything sufficiently suspicious by your DFIR team, and if the experts think it is "sus", report to your national CSIRT/CERT, or as per the request in the report to the NCSC of the Netherlands: https://english.ncsc.nl/contact.
Journey into an issue our team had to overcome to perform comprehensive research on #FortiGate firmware.
Get a firsthand look at the process involved in performing #security research and check out FortiCrack, which you can use to decrypt encrypted #Fortinet#FortiOS firmware images. #infosec#hacking