The Australian Cyber Security Centre (ACSC) has issued an alert regarding a critical vulnerability in Fortinet’s FortiOS and FortiProxy products. This Fortinet vulnerability has been actively exploited in the wild, posing significant risks to organizations that rely on these products.
Technical users in Australian businesses, organizations, and government entities are advised to take immediate action to secure their systems.
Fortinet Vulnerability: What Happened?
Fortinet identified a critical vulnerability in specific versions of FortiOS and FortiProxy. This vulnerability enables unauthenticated remote attackers to gain “super-admin” privileges by exploiting an alternate path or channel vulnerability (CWE-288). Reports confirm active exploitation, with threat actors performing various post-exploitation activities.
Fortinet has provided detailed indicators of compromise (IOCs) and IP addresses associated with the threat actors. These can help organizations identify and investigate suspicious activities.
Post-Exploitation Activities Observed:
Threat actors exploiting this vulnerability have been observed performing the following actions:
- Creating Admin Accounts: Attackers create admin accounts on devices with random usernames.
- Adding Local Users: Threat actors create local user accounts with random names and integrate them into existing SSL VPN user groups.
- Adjusting Device Configurations: Changes to settings such as firewall policies have been noted.
- Establishing VPN Tunnels: Attackers log into SSL VPNs using compromised accounts to create tunnels into internal networks.
Affected Versions
The following Fortinet products and versions are impacted:
- FortiOS:
- Version 7.0 – From 7.0.0 to 7.0.16
- Solution: Upgrade to 7.0.17 or later.
- FortiProxy:
- Version 7.0 – From 7.0.0 to 7.0.19
- Solution: Upgrade to 7.0.20 or later.
- Version 7.2 – From 7.2.0 to 7.2.12
- Solution: Upgrade to 7.2.13 or later.
Non-Affected Versions:
FortiOS 7.4, FortiOS 7.6, FortiProxy 7.4, and FortiProxy 7.6 are not impacted by this vulnerability.
Mitigation Steps
The ACSC urges organizations to take the following steps to protect their systems:
- Upgrade to Secure Versions:
- Immediately upgrade affected systems to the latest versions as per Fortinet’s recommendations.
- Use Fortinet’s upgrade tool to determine the appropriate upgrade path.
- Investigate for Potential Compromise:
- Review Fortinet’s published IOCs to identify any signs of compromise in your environment.
- Conduct detailed investigations for unusual activity in connected networks and devices.
- Monitor Network Activity:
- Proactively monitor for suspicious behavior, such as unexpected user accounts or changes to firewall policies.
- Follow Fortinet’s Published Advice:
- Refer to Fortinet’s vulnerability notification for additional technical details and guidance.
Technical Background
The Fortinet vulnerability exploits an authentication bypass using an alternate path or channel vulnerability (CWE-288). This flaw allows attackers to craft specific requests targeting the Node.js WebSocket module to gain super-admin privileges.
The exploitation of this vulnerability can lead to unauthorized access, the ability to modify device configurations, and the potential for further lateral movement within the network.
Why This Matters
The critical nature of this vulnerability cannot be overstated. Threat actors gaining super-admin privileges can have devastating consequences for organizations, including data breaches, unauthorized system access, and loss of operational integrity.
Fortinet products are widely used for securing enterprise and government networks. Ensuring these systems are updated and uncompromised is essential to maintaining a secure network infrastructure.
Next Steps for Organisations
- Act Immediately: Upgrade vulnerable devices and investigate for any signs of compromise.
- Use the Fortinet Upgrade Tool: Simplify the upgrade process by leveraging Fortinet’s official tool.
- Stay Updated: Keep track of the latest advisories from both Fortinet and the ACSC.
- Enhance Security Measures: Ensure robust network monitoring, apply necessary patches promptly, and encourage staff to use strong authentication practices.
If you suspect your systems have been compromised, report the issue immediately to the ACSC or your cybersecurity team.
Protecting your systems from this Fortinet vulnerability is critical to safeguarding your organization’s data and operations. Take action now to ensure your network remains secure.
