Multiple Vulnerabilities in Fortinet Products Could Allow for Arbitrary Code Execution

I. Targeted Entities

• Fortinet product users

II. Introduction

Multiple vulnerabilities have recently been identified in Fortinet products. These products are designed to provide network security solutions that offer protection from constantly emerging threats to your network, data, and users. (Fortiguard 2023)

III. Background Information

Fortinet has recently revealed a highly severe vulnerability, marked as “Critical,” that affects both FortiOS and FortiProxy. This flaw permits an attacker who has not been authenticated to run arbitrary code or conduct a denial-of-service (DoS) attack on the graphical user interface (GUI) of the affected systems by employing specially designed requests. (Toulas, 2023)

The vulnerability is recognized as CVE-2023-25610 and has obtained a CVSS v3 score of 9.3, which is classified as critical. A buffer underflow vulnerability like this occurs when a program attempts to read more data from a memory buffer than is available. This leads to accessing adjacent memory locations, potentially resulting in unstable behavior or system crashes. Fortinet’s telemetry data revealed no evidence that threat actors exploited the vulnerability in real-world attacks. (Multiple Vulnerabilities in Fortinet Products Could Allow for Arbitrary Code 2023)

According to Fortinet’s security bulletin, there are fifty device models that are not affected by the arbitrary code execution aspect of the vulnerability. However, these same models are still vulnerable to the denial-of-service part, even if they are running a vulnerable version of FortiOS. (Toulas, 2023)

Affected Products:

FortiOS version 7.2.0 through 7.2.3

FortiOS version 7.0.0 through 7.0.9

FortiOS version 6.4.0 through 6.4.11

FortiOS version 6.2.0 through 6.2.12

FortiOS 6.0 all versions

FortiProxy version 7.2.0 through 7.2.2

FortiProxy version 7.0.0 through 7.0.8

FortiProxy version 2.0.0 through 2.0.12

FortiProxy 1.2 all versions

FortiProxy 1.1 all versions

For those who cannot apply the updates immediately, Fortinet recommends either disabling the HTTP/HTTPS administrative interface or restricting the IP addresses that can access it remotely. Instructions on how to implement these workarounds, which also apply to non-default port usage, are provided in the security advisory.

Threat actors are actively searching for critical-severity vulnerabilities in Fortinet products, particularly those that do not require authentication to exploit. These vulnerabilities provide attackers with a means of gaining initial access to corporate networks. As a result, it is critical to quickly address this vulnerability. (Toulas, 2023)

IV. MITRE ATT&CK

• T1190 – Exploit Public-Facing Application
  Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other applications with Internet accessible open sockets, such as web servers and related services.
• T1499 – Endpoint Denial-Of-Service
  Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition.

V. Recommendations

• Strong Cyber Hygiene
  Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
  Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
• Turn on Endpoint Protection
  Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.
• Refer to Threat Intelligence From OSINT
  Be sure to stay informed on the latest threats/risks from outside sources that track information regarding the newest updates on the associated threat.

VII. References

• Toulas, B. (2023, March 8). Fortinet warns of New Critical unauthenticated RCE vulnerability. BleepingComputer. Retrieved March 13, 2023, from https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-critical-unauthenticated-rce-vulnerability/
• Fortiguard. FortiGuard. (n.d.). Retrieved March 13, 2023, from https://www.fortiguard.com/psirt-monthly-advisory/march-2023-vulnerability-advisories
• Fortiguard. FortiGuard. (n.d.). Retrieved March 13, 2023, from https://www.fortiguard.com/psirt/FG-IR-23-001
• Endpoint denial of service. Endpoint Denial of Service, Technique T1499 – Enterprise | MITRE ATT&CK®. (n.d.). Retrieved March 13, 2023, from https://attack.mitre.org/techniques/T1499/
• Exploit public-facing application. Exploit Public-Facing Application, Technique T1190 – Enterprise | MITRE ATT&CK®. (n.d.). Retrieved March 13, 2023, from https://attack.mitre.org/techniques/T1190/
• Recorded future: Securing our world with intelligence. Recorded Future: Securing Our World With Intelligence. (n.d.). Retrieved March 13, 2023, from https://www.recordedfuture.com/
• (2023, March 8). MS-ISAC CYBERSECURITY ADVISORY – Multiple Vulnerabilities in Fortinet Products Could Allow for Arbitrary Code Execution – PATCH NOW – TLP: CLEAR.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: EJ Bulut