Skip to content

Warning Issued for Potential Security Breaches in FortiOS and FortiProxy Systems

Fortinet products under scrutiny due to a cybersecurity warning from the Australian Cyber Security Centre (ACSC). The issue involves an authentication bypass vulnerability (CWE-288) affecting FortiOS and FortiProxy that could potentially grant a remote attacker super-admin privileges through...

Security Alert: Vulnerabilities Found in FortiOS and FortiProxy Systems
Security Alert: Vulnerabilities Found in FortiOS and FortiProxy Systems

Warning Issued for Potential Security Breaches in FortiOS and FortiProxy Systems

In a recent development, the Australian Cyber Security Centre (ACSC) has issued an alert about certain Fortinet products due to a security vulnerability. The vulnerability, classified as an authentication bypass using an alternative path or channel (CWE-288), affects versions 7.0 - 7.0.16 of FortiOS and versions 7.0 - 7.0.19 and 7.2-7.2.12 of FortiProxy.

Threat actors have been observed creating user groups, adding local users to existing SSLVPN user groups, and altering firewall policies on affected devices. They have also created local user accounts using random names and, in some cases, have logged in to the SSLVPN with these added local users to gain access to the internal network.

Moreover, threat actors have been found to create admin accounts on affected devices with random usernames. This could potentially allow an attacker to brute force the username if the targeted websocket is not an authentication point. However, having a non-standard and non-guessable username for admin accounts offers some protection.

Organisations including FortiGuard Labs and cybersecurity researchers such as those from hunter.io have reported observations of attacks on affected Fortinet products, notably FortiWeb and FortiClient Enterprise Management Server. These observations highlight active exploitation of vulnerabilities and the deployment of advanced malware campaigns targeting these products.

Fortinet has provided workarounds in its advisory and recommends users to implement these, upgrade to the latest FortiOS and FortiProxy versions, investigate for potential compromise, and monitor for suspicious activity. The company has also highlighted IPs associated with the threat actor, which may assist in identifying suspicious activity.

The ACSC echoes Fortinet's recommendations and advises users to take immediate action to protect their systems. An attacker needs to know an admin account's username to perform the attack and log in to the Command Line Interface (CLI). Therefore, it is crucial to ensure that admin account usernames are secure and not easily guessable.

This vulnerability may allow a remote attacker to gain super-admin privileges via crafted requests to the Node.js websocket module. As such, it poses a significant threat to the security of affected Fortinet products. Organisations are urged to act promptly to mitigate this risk and safeguard their networks.

Read also: