Warning Issued for Potential Security Breaches in FortiOS and FortiProxy Systems
In a recent development, the Australian Cyber Security Centre (ACSC) has issued an alert about certain Fortinet products due to a security vulnerability. The vulnerability, classified as an authentication bypass using an alternative path or channel (CWE-288), affects versions 7.0 - 7.0.16 of FortiOS and versions 7.0 - 7.0.19 and 7.2-7.2.12 of FortiProxy.
Threat actors have been observed creating user groups, adding local users to existing SSLVPN user groups, and altering firewall policies on affected devices. They have also created local user accounts using random names and, in some cases, have logged in to the SSLVPN with these added local users to gain access to the internal network.
Moreover, threat actors have been found to create admin accounts on affected devices with random usernames. This could potentially allow an attacker to brute force the username if the targeted websocket is not an authentication point. However, having a non-standard and non-guessable username for admin accounts offers some protection.
Organisations including FortiGuard Labs and cybersecurity researchers such as those from hunter.io have reported observations of attacks on affected Fortinet products, notably FortiWeb and FortiClient Enterprise Management Server. These observations highlight active exploitation of vulnerabilities and the deployment of advanced malware campaigns targeting these products.
Fortinet has provided workarounds in its advisory and recommends users to implement these, upgrade to the latest FortiOS and FortiProxy versions, investigate for potential compromise, and monitor for suspicious activity. The company has also highlighted IPs associated with the threat actor, which may assist in identifying suspicious activity.
The ACSC echoes Fortinet's recommendations and advises users to take immediate action to protect their systems. An attacker needs to know an admin account's username to perform the attack and log in to the Command Line Interface (CLI). Therefore, it is crucial to ensure that admin account usernames are secure and not easily guessable.
This vulnerability may allow a remote attacker to gain super-admin privileges via crafted requests to the Node.js websocket module. As such, it poses a significant threat to the security of affected Fortinet products. Organisations are urged to act promptly to mitigate this risk and safeguard their networks.
Read also:
- Antitussives: List of Examples, Functions, Adverse Reactions, and Additional Details
- Impact, Prevention, and Aid for Psoriatic Arthritis During Flu Season
- Unauthorized disclosure of Azure AD Client Secrets: Privacy in the digital realm under threat due to exposure of cloud credentials
- Revitalizing Wisconsin Point Peninsula within the St. Louis River Estuary's Ecosystem Conservation Zone