Fortinet addressed multiple issues in FortiOS and other products, including a critical remote code execution flaw in FortiClientLinux.

Fortinet fixed a dozen vulnerabilities in multiple products, including a critical-severity remote code execution (RCE) issue, tracked as CVE-2023-45590 (CVSS score of 9.4), in FortiClientLinux.

The vulnerability is an Improper Control of Generation of Code (‘Code Injection’) issue that resides in FortiClientLinux. An unauthenticated attacker can trigger the flaw to execute arbitrary code by tricking a FortiClientLinux user into visiting a specially crafted website.

“An Improper Control of Generation of Code (‘Code Injection’) vulnerability [CWE-94] in FortiClientLinux may allow an unauthenticated attacker to execute arbitrary code via tricking a FortiClientLinux user into visiting a malicious website.” reads the advisory published by Fortinet.

Below are the impacted versions and the one released by the company to fix the issue.

The vulnerability was reported to Fortinet by the security researcher CataLpa from Dbappsecurity.

Fortinet did not reveal if this vulnerability is actively exploited in attacks in the wild.

US CISA published an alert to warn Fortinet users of the security updates released by the vendor to address multiple vulnerabilities in its products, including OS and FortiProxy.

“Fortinet released security updates to address vulnerabilities in multiple products, including OS and FortiProxy. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.” reads the alert that encourages users and administrators to review the following advisories and apply necessary updates: 

• FR-IR-23-345 FortiClientMac – Lack of configuration file validation
• FG-IR-23-493 FortiOS & FortiProxy – Administrator cookie leakage
• FG-IR-23-087 FortiClient Linux – Remote Code Execution due to dangerous   nodejs configuration

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet)

Researchers released a PoC exploit for a critical flaw in Fortinet’s FortiClient Enterprise Management Server (EMS) software, which is actively exploited.

Security researchers at Horizon3 have released a proof-of-concept (PoC) exploit for a critical vulnerability, tracked as CVE-2023-48788 (CVSS score 9.3), in Fortinet’s FortiClient Enterprise Management Server (EMS) software. The vulnerability is now actively exploited in attacks in the wild.

The vulnerability CVE-2023-48788 is a critical pervasive SQL injection issue that resides in the DAS component.

“An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests.” reads the advisory.

Below are the affected versions and the release that addressed this flaw.

Thiago Santana from the ForticlientEMS development team and UK NCSC reported the issue to the company.

The initial advisory reported that Fortinet was not aware of attacks in the wild exploiting this vulnerability.

However, the company has updated the advisory confirming that “this vulnerability is exploited in the wild.”

Horizon3’s Attack Team published a technical analysis of this vulnerability and the PoC exploit. The researchers demonstrated how to turn this SQL injection issue into remote code execution using the built-in xp_cmdshell functionality of Microsoft SQL Server.

The researchers explained that the database was not configured to run the xp_cmdshell command, however it was possible to do it using a few other SQL statements.

“The POC we are releasing only confirms the vulnerability by using a simple SQL injection without xp_cmdshell. To enable RCE, altering the POC is necessary.” reads the analysis published by Horizon3.

“There are various log files in C:\Program Files (x86)\Fortinet\FortiClientEMS\logs that can be examined for connections from unrecognized clients or other malicious activity. The MS SQL logs can also be examined for evidence of xp_cmdshell being utilized to obtain command execution.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, FortiClient)

Fortinet released security updates to address critical code execution vulnerabilities in FortiOS, FortiProxy, and FortiClientEMS.

Fortinet this week has released security updates to fix critical code execution vulnerabilities in FortiOS, FortiProxy, and FortiClientEMS.

The first vulnerability is an out-of-bounds write issue, tracked as CVE-2023-42789 (CVSS score 9.3), it can be exploited to execute unauthorized code or commands by sending specially crafted HTTP requests to vulnerable devices.

The vulnerability impacts Fortinet FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, FortiProxy 7.4.0, 7.2.0 through 7.2.6, 7.0.0 through 7.0.12, 2.0.0 through 2.0.13.

The vendor also addressed a high-severity stack-based buffer overflow vulnerability, tracked as CVE-2023-42790 (CVSS score 8.1). An attacker can exploit the vulnerability to execute unauthorized code or commands via specially crafted HTTP requests.

The vulnerability impacts Fortinet FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, FortiProxy 7.4.0, 7.2.0 through 7.2.6, 7.0.0 through 7.0.12, 2.0.0 through 2.0.13.

Gwendal Guégniaud of Fortinet Product Security Team discovered both vulnerabilities.

The security vendor also addressed a critical pervasive SQL injection issue, tracked as CVE-2023-48788 (CVSS score 9.3), in the DAS component.

“An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests.” reads the advisory.

Below are the affected versions and the release that addressed this flaw.

The flaw was reported by Thiago Santana from the ForticlientEMS development team and UK NCSC.

Fortinet is not aware of attacks in the wild exploiting these vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet)

Researchers warn that the critical vulnerability CVE-2024-21762 in Fortinet FortiOS could potentially impact 150,000 exposed devices.

In February, Fortinet warned that the critical remote code execution vulnerability CVE-2024-21762 (CVSS score 9.6) in FortiOS SSL VPN was actively exploited in attacks in the wild.

The security firm did not provide details about the attacks exploiting this vulnerability.

The issue is an out-of-bounds write vulnerability that can be exploited by sending specially crafted HTTP requests to vulnerable instances. The vendor recommends to disable SSL VPN as a workaround.

“A out-of-bounds write vulnerability [CWE-787] in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests.” reads the advisory.

“Workaround : disable SSL VPN (disable webmode is NOT a valid workaround). Note: This is potentially being exploited in the wild.”

The following table includes the list of the impacted versions and the available versions that solve the issue.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

This week, researchers at the Shadowserver Foundation announced that nearly 150,000 devices are still potentially impacted by the issue despite Fortinet added it to the catalog.

The researchers scanned the Internet for Internet-facing Fortinet FortiOS and FortiProxy secure web gateway systems vulnerable to CVE-2024-21762.

The majority of vulnerable devices (at March 9, 2024) are in the United States (24.647), followed by India (7.713), and Brazil (4.934).

Researchers from GreyNoise also published an interesting analysis on the bug, titled “Hunting for Fortinet CVE-2024-21762: Vulnerability Research for Detection Engineering.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, FortiOS)

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Fortinet FortiOS bug to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Fortinet FortiOS Out-of-Bound write vulnerability, tracked as CVE-2024-21762, to its Known Exploited Vulnerabilities (KEV) catalog.

This week Fortinet warned that the recently discovered critical remote code execution vulnerability in FortiOS SSL VPN, tracked as CVE-2024-21762 (CVSS score 9.6), is actively exploited in attacks in the wild.

The security firm did not provide details about the attacks exploiting this vulnerability.

The issue is an out-of-bounds write vulnerability that can be exploited by sending specially crafted HTTP requests to vulnerable instances. The vendor recommends to disable SSL VPN as a workaround.

“A out-of-bounds write vulnerability [CWE-787] in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests.” reads the advisory.

“Workaround : disable SSL VPN (disable webmode is NOT a valid workaround). Note: This is potentially being exploited in the wild.”

The following table includes the list of the impacted versions and the available versions that solve the issue.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by February 16, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, Fortinet)

Fortinet warns that the recently discovered critical remote code execution flaw in FortiOS SSL VPN, tracked CVE-2024-21762, is being actively exploited.

Fortinet is warning that the recently discovered critical remote code execution vulnerability in FortiOS SSL VPN, tracked as CVE-2024-21762 (CVSS score 9.6), is actively exploited in attacks in the wild.

The security firm did not provide details about the attacks exploiting this vulnerability.

The issue is an out-of-bounds write vulnerability that can be exploited by sending specially crafted HTTP requests to vulnerable instances. The vendor recommends to disable SSL VPN as a workaround.

“A out-of-bounds write vulnerability [CWE-787] in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests.” reads the advisory.

“Workaround : disable SSL VPN (disable webmode is NOT a valid workaround). Note: This is potentially being exploited in the wild.”

The following table includes the list of the impacted versions and the available versions that solve the issue.

The security firm also addressed another critical flaw in FortiOS, tracked as CVE-2024-23113 (CVSS score 9.8).

“A use of externally-controlled format string vulnerability [CWE-134] in FortiOS fgfmd daemon may allow a remote unauthentified attacker to execute arbitrary code or commands via specially crafted requests.” reads the advisory.

The good news is that the vendor is not aware of attacks in the wild exploiting this flaw.

Vulnerabilities in Fortinet devices are often exploited by threat actors in the wild.

In December 2023, Fortinet urged its customers to update their installs to address an actively exploited FortiOS SSL-VPN vulnerability, tracked as CVE-2022-42475, that could be exploited by an unauthenticated, remote attacker to execute arbitrary code on devices.

The CVE-2022-42475 flaw is a heap-based buffer overflow weakness that resides in FortiOS sslvpnd that allowed unauthenticated attackers to crash targeted devices remotely or gain remote code execution

This week, the Dutch Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) published a joint report warning that a China-linked APT group breached the Dutch Ministry of Defence last year. The effects of the attack were limited because of the network segmentation implemented in the government infrastructure.

The government experts discovered a previously unpublished remote access trojan (RAT), tracked as COATHANGER, specifically designed to target Fortigate appliances. The RAT is used as second-stage malware, the experts pointed out that it doesn’t exploit a new vulnerability. COATHANGER is a stealthy malware that hooks system calls that could reveal its presence. The malware survives reboots and firmware upgrades.

The attack chain starts with the exploitation of the CVE-2022-42475 vulnerability for FortiGate devices.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet)