Fortinet seems to keep a critical vulnerability under wraps for more than a week, amid reports that attackers are using it to execute malicious code on servers used by sensitive customer organizations.
Fortinet kweping mum shows the lack of transparency is consistent with previous zero-days that have been exploited against Fortinet customers. With no authoritative source for information, customers, reporters, and others have few other avenues for information other than social media posts where the attacks are being discussed.
The vulnerability affects FortiManager, specific versions vulnerable, the post said, including FortiManager versions:
- 7.6.0 and below
- 7.4.4 and below
- 7.2.7 and below
- 7.0.12 and below
- 6.4.14 and below
By installing versions 7.6.1 or above, 7.4.5 or above, 7.2.8 or above, 7.0.13 or above, or 6.4.15 or above, the exploitation can be prevented. There are reports that the cloud-based FortiManager Cloud is vulnerable as well.
The vulnerability has been discussed since at least October 13. Fortigate hasn’t published any sort of public advisory or a CVE designation for security practitioners to track the zero-day.
According to independent researcher Kevin Beaumont, the flaw stems from a default FortiManager setting that allows devices with unknown or unauthorized serial numbers to register themselves into an organization’s FortiManager dashboard. Precise details still aren’t clear, but a now-deleted comment on Reddit indicated that the zero-day allows attackers to “steal a Fortigate certificate from any Fortigate, register to your FortiManager and gain access to it.”
Beaumont published a post that said the vulnerability likely resides in the FortiGate to FortiManager protocol. FGFM is the language that allows Fortigate firewall devices to communicate with the manager over port 541. The Shodan search engine shows more than 60,000 such connections exposed to the Internet.
With no public advisory from Fortinet, including the indicators of compromise, how widely exploited the vulnerability is, and what types of malicious activity occur inside infected networks.
Nice information 🙏🙏