Fortinet vulnerabilities Allow attackers to execute arbitrary code remotely

Fortinet, a global leader in cybersecurity, has recently issued urgent advisories regarding two critical vulnerabilities impacting its FortiWLM and FortiManager products. If exploited, these vulnerabilities could enable attackers to execute unauthorized code or commands remotely. Such flaws threaten enterprise networks, potentially granting malicious actors complete control over critical systems.

Fortinet has responded swiftly by releasing patches to mitigate these vulnerabilities. However, organizations using FortiWLM or FortiManager are urged to act immediately by applying the updates and reviewing their network configurations for any signs of compromise. As cybersecurity threats evolve, this incident is a stark reminder of the importance of proactive security measures, including regular vulnerability assessments and robust access controls.

The NCSC encourages UK companies to take urgent action to mitigate a vulnerability affecting Fortinet FortiManager (CVE-2024-47575) and to follow the most recent vendor recommendations.

What’s happened?

Fortinet has issued a security advisory regarding a high-severity vulnerability in its FortiManager product, tracked as CVE-2024-47575. This missing authentication flaw could allow a remote, unauthenticated attacker to execute arbitrary code or commands through specially crafted requests. FortiManager, a widely used network management solution, is critical for controlling and monitoring enterprise security devices. This vulnerability poses a significant risk to organizations relying on Fortinet’s network management solutions.

The vulnerability arises due to insufficient authentication mechanisms in FortiManager, exposing it to remote exploitation. A successful attack could allow unauthorized individuals to access the system, manipulate configurations, extract sensitive data, or deploy malicious payloads. Fortinet has acknowledged reports of active exploitation of this vulnerability, raising the stakes for businesses using vulnerable software versions.

Fortinet urges all customers to take immediate action by applying the patches released in their latest software updates. Users are also advised to review their network traffic logs and system configurations for any unusual activity indicating compromise. Fortinet emphasizes the importance of prompt remediation, as delays could leave enterprise networks vulnerable to sophisticated attacks.

This incident underscores the importance of maintaining up-to-date software and implementing robust cybersecurity protocols. Organizations should consider adding additional layers of defense, such as access controls and regular vulnerability assessments, to mitigate risks. The active exploitation of CVE-2024-47575 is a stark reminder that even trusted and widely adopted solutions can be targeted by attackers.

Who is affected?

Organizations utilizing Fortinet FortiManager, FortiManager Cloud, and older FortiAnalyzer models with the FortiManager feature enabled are at risk of exploitation due to recently disclosed vulnerabilities. These products, often critical for managing and monitoring enterprise networks, are vulnerable to attacks allowing unauthorized access, execution of arbitrary code, and compromise of sensitive data. The vulnerabilities highlight a pressing security concern for businesses relying on these tools to safeguard their IT infrastructure.

The impact of these flaws underscores the importance of assessing product configurations and promptly applying available patches. Enterprises using older models or cloud-based management solutions are particularly at risk, as attackers may exploit unpatched systems to infiltrate and manipulate network environments. Organizations must swiftly mitigate the threat by following Fortinet’s advisory, updating affected systems, and implementing additional security measures.

Fortinet vulnerabilities in FortiManager (CVE-2024-48889):

Another severe vulnerability, identified as CVE-2024-48889, impacts Fortinet’s FortiManager, a unified security management solution.

This issue, assigned a CVSS score of 7.2, is caused by inadequate handling of special characters in operating system commands (CWE-78), which could allow authorized attackers to execute arbitrary code remotely. The vulnerable versions include:

• FortiManager 7.6: 7.6.0
• FortiManager 7.4: 7.4.0 through 7.4.4
• FortiManager 7.4 Cloud: 7.4.1 through 7.4.4
• FortiManager 7.2: 7.2.3 through 7.2.7
• FortiManager 7.2 Cloud: 7.2.1 through 7.2.7
• FortiManager 7.0: 7.0.5 through 7.0.12
• FortiManager 7.0 Cloud: 7.0.1 through 7.0.12
• FortiManager 6.4: 6.4.10 through 6.4.14

Credential Exposure Risk in FortiOS and FortiProxy

A critical vulnerability, tracked as CVE-2023-41677, affects both FortiOS and FortiProxy products. This high-severity flaw arises from insufficient credentials protection, enabling attackers to obtain the administrator cookie. Attackers can exploit this weakness by convincing an administrator to visit a malicious website through the SSL-VPN to gain unauthorized access to sensitive systems.

Exploiting this vulnerability poses significant risks to the security of enterprise networks, as it could allow attackers to bypass authentication and potentially control key management functions. Fortinet has issued advisories recommending prompt patching to mitigate this vulnerability. Organizations using affected versions of FortiOS and FortiProxy should immediately apply the updates to prevent potential exploitation.

FortiClientMac Vulnerabilities:

• CVE-2023-45588 and CVE-2024-31492 affect FortiClientMac, allowing local attackers to execute arbitrary code or commands.
• These flaws arise when malicious configuration files are placed in the temporary directory before starting the FortiClientMac installation process.

FortiSandbox Vulnerabilities:

• CVE-2024-23671 could lead to arbitrary file deletion in FortiSandbox.
• CVE-2024-21755 and CVE-2024-21756 could allow arbitrary command execution within FortiSandbox.

FortiProxy & FortiOS JS Execution Flaw

Vulnerability Overview:

• CVE-2023-29183 (CVSS score 7.3) describes an issue in FortiProxy and FortiOS related to improper input handling during web page generation.

Exploitation Risk:

• An authenticated attacker could exploit this flaw by manipulating guest management settings to execute malicious JavaScript code on the affected system.

Impacted Versions:

• FortiProxy: Versions 7.0.x and 7.2.x
• FortiOS: Versions 6.2.x, 6.4.x, 7.0.x, 7.2.x

Patches Released:

• Fortinet has released updated versions to address the vulnerability:

FortiProxy: 7.0.11, 7.2.5

FortiOS: 6.2.15, 6.4.13, 7.0.12, 7.2.5, 7.4.0

Critical Fortinet Vulnerabilities: Addressing Code Injection and Credential Exposure Risks

Fortinet has recently disclosed multiple vulnerabilities affecting several of its widely used cybersecurity products. Among these, the critical flaw CVE-2023-45590, with a CVSS score 9.4, is particularly concerning. It is described as a code injection vulnerability that allows unauthenticated, remote attackers to execute arbitrary code or commands. This can occur if attackers successfully lure users into visiting a malicious website, exposing organizations to significant risks.

This vulnerability impacts explicitly FortiClientLinux versions 7.2.0, 7.0.6 through 7.0.10, and 7.0.3 through 7.0.4. Fortinet addressed the issue by releasing updated versions 7.2.1 and 7.0.11, which users are strongly advised to deploy immediately. Given the critical nature of the flaw, organizations utilizing these versions of FortiClientLinux must ensure timely patching to protect against potential exploitation.

In addition to CVE-2023-45590, Fortinet has patched several high-severity vulnerabilities in other products, including FortiOS, FortiProxy, FortiClientMac, and FortiSandbox. One notable issue, tracked as CVE-2023-41677, affects FortiOS and FortiProxy. This vulnerability stems from inadequate credentials protection, allowing attackers to obtain administrator cookies by convincing administrators to visit a malicious website through the SSL-VPN. Such flaws can compromise the integrity of administrative accounts, resulting in unauthorized access to critical systems.

Fortinet’s swift action in releasing updates highlights the importance of proactive vulnerability management in the face of evolving cyber threats. While patches are available, organizations are responsible for implementing them promptly and reviewing their systems for potential compromise. A delay in addressing these vulnerabilities could result in unauthorized access, data breaches, or network-wide disruptions.

Additional NCSC resources:

The NCSC provides a range of guidelines, services, and tools to assist your organization in safeguarding its systems.

Adopt NCSC Guidance for Comprehensive Security:

• Follow the National Cyber Security Centre’s (NCSC) detailed guidance on critical aspects of cybersecurity, including effective vulnerability management and strategies to prevent lateral movement within your network.

Leverage the NCSC Early Warning Service:

• Organizations in the UK can subscribe to the free NCSC Early Warning service to receive timely alerts about potential cyber threats targeting their networks. Existing users are encouraged to check their MyNCSC portal for updates.

Implement a Vulnerability Disclosure Process:

• Utilize the NCSC’s Vulnerability Disclosure Toolkit, which provides practical resources for organizations to establish and maintain an effective vulnerability disclosure process.

Strengthen Proactive Threat Management:

• The NCSC offers tools and services designed to help organizations of all sizes proactively secure their systems and respond effectively to emerging threats.

Stay Ahead with NCSC Resources:

• By integrating NCSC recommendations into its cybersecurity framework, your organization can enhance its resilience against evolving cyber risks and more effectively protect critical assets.

For more:

https://www.ncsc.gov.uk/news/vulnerability-fortinet-fortimanager

https://www.securityweek.com/fortinet-patches-critical-rce-vulnerability-in-forticlientlinux

https://www.cisecurity.org/advisory/a-vulnerability-in-fortinet-fortimanager-could-allow-for-remote-code-execution_2024-120