Concerns Over Fortinet Flaw Mount; PoC Released, Exploit Activity Grows

  /     /     /  
Publicated : 23/11/2024   Category : security


Concerns Over Fortinet Flaw Mount; PoC Released, Exploit Activity Grows


The authentication bypass flaw in FortiOS, FortiProxy and FortiSwitchManager is easy to find and exploit, security experts say.



Concerns over a critical authentication bypass vulnerability in certain Fortinet appliances heightened this week with the release of proof-of-concept (PoC) exploit code and a big uptick in vulnerability scans for the flaw.
The bug (CVE-2022-40684) is present in multiple versions of Fortinets FortiOS, FortiProxy and FortiSwitchManager technologies. It allows an unauthenticated attacker to gain administrative access to affected products via specially crafted HTTPS and HTTP requests, and potentially use that as entry point to the rest of the network.
Bharat Jogi, director of vulnerability threat research at Qualys says researchers at the company have observed mass scans being carried out by various threat actors to identify Internet facing vulnerable systems for compromise.
They are compromising these systems to create a super_admin user which provides them with complete access and control, Jogi says. Once this level of access is achieved, they have the ability to delete any trace of their successful exploitation attempt, making it difficult for organizations to track compromised assets in their environment.
If this flaw is successfully exploited, an attacker would have complete access to the organizations internal systems that were previously protected by Fortinets firewalls, he says. Having a compromised firewall is like laying out a red carpet for threat actors to stroll right into your organizations environment, Jogi notes.
Added to CISAs Known Exploited Vulnerabilities Catalog
The US Cybersecurity and Infrastructure Security Agency (CISA) earlier this week added the vulnerability to its Known Exploited Vulnerabilities catalog. Federal executive branch agencies—which are required to remediate vulnerabilities in the catalog within specific deadlines—have until Nov. 1 to address it. Though the deadline applies only to federal agencies, security experts have previously noted how it is a good idea for all organizations to monitor the vulnerabilities in the catalog and follow CISAs deadline for implementing fixes.
Fortinet
privately notified customers of the affected products
about the vulnerability last Friday, along with instructions to immediately update to patched versions of the technology the company had just released. It advised companies that could not update for any reason to immediately disable Internet-facing HTTPS administration until they could upgrade to the patched versions. 
Due to the ability to exploit this issue remotely, Fortinet is strongly recommending all customers with the vulnerable versions to perform an immediate upgrade, Fortinet said in its private notification, a
copy of which
was posted on Twitter the same day.
Fortinet followed up with a
public vulnerability advisory
on Monday describing the flaw and warning customers of potential exploit activity. The company said it was aware of instances where attackers had exploited the vulnerability to download the configuration file from affected systems and to add a malicious super_admin account called fortigate-tech-support.
Since then, penetration testing from Horizon3.ai has released proof-of-concept code for exploiting the vulnerability along with a
technical deep dive
of the flaw. A template for
scanning for the vulnerability
has also become available on GitHub.
Exacerbating the concerns is the relatively low bar for exploiting the flaw. This vulnerability is extremely easy for an attacker to exploit. All that is required is access to the management interface on a vulnerable system, Zach Hanley, chief attack engineer at Horizon3.ai, tells Dark Reading
Increase in Scanning Activity for the Flaw
Qualys isnt the only company observing increased vulnerability scanning for the flaw. James Horseman, exploit developer at Horizon3.ai says public data from GreyNoise—which tracks Internet scanning activity hitting security tools—shows the number of unique IPs using the exploit has grown from the single digits a few days ago, to over forty as of Oct. 14.
We expect the number of unique IPs using this exploit to rapidly increase in the coming days, Horseman says. It is not hard for attackers to find vulnerable systems, he adds: A Shodan search for instance shows more than 100,000 Fortinet systems worldwide. 
Not all of these will be vulnerable, but a large percentage will be, Horseman says.
Johannes Ullrich, dean of research at the SANS Institute, says he has observed scans associated with an older FortiGate vulnerability (
CVE-2018-13379
,) hitting SANS honeypots in the days following disclosure of the new bug. He says there are two theories why that might be happening.
One of them is that an attacker may have tried to catch as many devices as possible that had not yet been patched for the old vulnerability. Given the attention the new vulnerability has gotten it is likely the old vulnerability will get patched as well now, he says.
Or the attacker was trying to find Fortinet devices to exploit using the new vulnerability once it is available, he theorizes. The old vulnerability scanner they had sitting on the shelf may still work to identify Fortinet devices.
A Popular Attacker Target
Concerns over vulnerabilities in Fortinet products are not new. The companys technologies—and those of others selling similar appliance —have been frequently targeted by attackers trying to gain an initial foothold on target network. 
Last November. The FBI, CISA and others
issued an advisory
warning of Iranian advanced persistent threat actors exploiting vulnerabilities in Fortinet and Microsoft products. A similar alert in April 2021
warned of attackers exploiting flaws in FortiOS
to break into multiple
government, commercial, and technology services
.
These vulnerable devices are often edge devices, so an attacker could potentially use this vulnerability to gain access to an organizations internal networks to launch further attacks, Hanley says.
Fortinet itself has recommended that organizations that are able to, must update to the newly patched versions of FortiOS, FortiProxy and FortiSwitch Manager. For organizations that cannot immediately update, Fortinet has provided guidance on how to disable the HTTP/HTTPS interface or limit IP addresses that can reach the administrate interface of the affected products.
Hanley says organizations sometimes may not be able to patch due to the potential downtime associated with updating a device. However, an organization should be able to apply [the] workaround to prevent this vulnerability from being exploited on unpatched machines by following Fortinet’s guidance.
Qualys Jogi adds, It is also crucial to review any attempts of exploit to identify systems that may have already been compromised. If an organization is unable to patch their systems, then they must disable the system admin interface immediately.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Concerns Over Fortinet Flaw Mount; PoC Released, Exploit Activity Grows