Governance & Risk Management , Patch Management , Vulnerability Assessment & Penetration Testing (VA/PT)
Fortinet Edge Devices Under Attack - Again
Hackers May Have Reverse-Engineered February PatchHackers may have circumvented a months-old patch for Fortinet gateway devices leading to a warning from the U.S. federal government over its active exploitation.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
At least one security researcher says Fortinet also faces the prospect of another zero-day vulnerability that hasn't yet been codified through the Common Vulnerabilities and Exposures system.
The Silicon Valley firewall and VPN maker is among the crowd of edge device makers that have seen nation-state hacker attention skyrocket over the past two years. A Chinese cyberespionage campaign targeting FortiGate security appliances spotted by the Dutch National Cyber Security Center in February proved to be "much larger than previously known," the agency warned in June.
The U.S. federal advisory, transmitted Oct. 9 by the Cybersecurity and Infrastructure Security Agency, said hackers are actively exploiting, CVE-2024-23113. The flaw allows attackers to convey a specially formatted string that crashes the bespoke Linux operating system powering Fortinet devices. Hackers can include in the string instructions for adding a user or pushing configuration updates.
Fortinet in February patched the flaw, which is rated 9.8 on the CVSS scale of 10, making its application critical. Internet scans by the Shadowserver Foundation show roughly 88,000 vulnerable instances worldwide.
Some security researchers say it appears the February patch didn't fully squash the bug.
"What I strongly suspect happened is Fortinet patched it, they didn't rigorously test the entire function, and then someone - most likely a nation-state actor - discovered they could use a lightly modified attack to exploit the same flaw," said Bobby Kuzma, director of offensive cyber operations at ProCircular.
Indicators pointing that direction include the sudden disappearance over the past week from GitHub of proof-of-concept repositories for CVE-2024-23113 exploits - evidence of concern by cybersecurity specialists over the flaw, Kuzma told Information Security Media Group.
Fortinet also advised customers over the weekend to update their firewall rules, suggesting an attack based on a specific string pattern or from a very limited set of IP addresses, he added. ISMG has not seen the advisory, which one systems administrator described as carrying "TLP:AMBER+STRICT" disclosure limits.
The advisory is evidence of a separate vulnerability from CVE-2024-23113, asserted security researcher Kevin Beaumont on Wednesday.
If Beaumont is correct - and Fortinet did not return multiple attempts for comment - the zero-day would be the latest in a series of vulnerabilities rated critical or high that Fortinet customers have had to mitigate this year. Of the 27 CVEs Fortinet has recorded so far this year, nearly four out of 10 rate at least a 7 on the CVSS scale, including a February zero-day exploited in the wild.
Edge device and network infrastructure vulnerabilities tend to rate high in metrics of cybersecurity urgency, WithSecure found in June. The number of edge device and infrastructure flaws that CISA warns are actively exploited has also appreciably risen this year compared to the last, the cybersecurity company said.
Unlike endpoint devices, edge devices aren't put on a regular tempo of patch updates, Kuzma said. But they're not necessarily hard to exploit. "Most of the appliances are literally Linux boxes with fancy cases. They're standard Linux systems that have all of the power and capability and familiarity you get with that."
Hackers have turned to edge devices as endpoints become harder to hack - and because they're often not subject to rigorous detection and logging requirements. And once hackers find their way inside an edge device, most don't have "any restriction on talking to the rest of the network environment," Kuzma said.