Fortinet Discloses New Vulnerabilities, Updates

California-based cybersecurity giant Fortinet sent out warnings for five critical vulnerabilities, including one in its enterprise management services that could potentially allow hackers to gain remote code execution (RCE). The flaw is an SQL injection in the DB2 administration server component. 

Disclosed initially on February 22, the company detailed it out on March 12 stating that the injection vulnerability could allow unauthenticated remote attackers to execute commands or arbitrary code through crafted requests on vulnerable FortiClientEMS software. Fortinet also released patches to mitigate the risks and exhorted customers to upgrade their systems to the secure versions as soon as possible. 

Fortinet has patched it up, but Asia is vulnerable

Close on the heels of this disclosure, the US Cybersecurity and Infrastructure Security Agency (CISA) also brought out an advisory with warnings that threat actors could exploit some of these vulnerabilities to take control of affected servers. However, media reports now indicate that the volume of such servers remained extremely high even now. 

A report published by The Register quotes from non-profit Shadowserver’s data to suggest that the number of Fortinet appliances vulnerable to the bug had come down from 150,000 ten days ago to about 133,000 now.  According to the report, the biggest volume of exposures were in Asia with over 54,000 continuing to be vulnerable at this time. 

Shadowserver says that even a month after the original reporting of the vulnerability that affected FortiOS, Fortinet’s SSL VPN software and FortiProxy secure web gateway, they had observed an increase in its exploitation activity as more information around the vulnerability, that includes a proof-of-concept exploit, became public. 

Proof-of-concepts causing some challenges 

Following the initial disclosure, Fortinet noted that there was evidence of the vulnerability being used as a zero day. This was corroborated by the CISA which also added it to the Known Exploited Vulnerability or KEV catalog, which effectively means that all federal agencies in the US are supposed to patch it within an ultra tight deadline.

Given the easy availability of proof-of-concepts online, the likelihood of attackers scanning for vulnerable servers and opening one of them also went up over the last month. Which is why Fortinet has been shouting from the rooftops asking IT managers to quickly patch up their boxes and keep it safe. 

Meanwhile, cybersecurity vendor Assetnote came out with a blog post detailing how its security team had produced a working exploit for one of the bugs using FortiGate SSL VPN. The company said it chose to probe into the vulnerabilities because FortiGate is widely deployed and “a pre-auth remote code execution vulnerability” could be lethal. 

“The exploit described in this post is tailored to the exact version of FortiGate SSL VPN used for testing. It is unlikely the exploit will work on other versions. The purpose of our research is primarily to power our exposure engine. We also publish research to add more colour and help defenders,” says the Assetnote blog post.