The Australian Cyber Security Centre (ACSC) has issued an alert about certain Fortinet products. The cybersecurity company has advised of an authentication bypass using an alternative path or channel vulnerability (CWE-288) affecting FortiOS and FortiProxy that may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
The Fortinet vulnerability advisory describes possible indicators of compromise and IPs associated with the threat actor, which may assist in identifying suspicious activity.
Affected versions/applications:
- FortiOS version 7.0 – 7.0.0 through 7.0.16
- FortiProxy version 7.0 – 7.0.0 through 7.0.19
- FortiProxy version 7.2 – 7.2.0 through 7.2.12
Fortinet advises that threat actors have been observed creating an admin account on the affected device with a random user name; creating a local user account on the device using a random name; creating a user group or adding the above local user to an existing sslvpn user group; adding/changing other settings (firewall policy etc); and logging in the sslvpn with the above-added local users to get a tunnel to the internal network.
“Please note as well that an attacker needs to know an admin account’s username to perform the attack and log in to the CLI,” Fortinet’s advisory reads. “Therefore, having a non-standard and non-guessable username for admin accounts does offer some protection, and is, in general, a best practice. Keep in mind, however, that the targeted websocket not being an authentication point, nothing would prevent an attacker from bruteforcing the username.”
Fortinet has included workarounds in its advisory. The ACSC recommends users of the affected products implement the workarounds, upgrade to the latest FortiOS and FortiProxy versions, investigate for potential compromise of these products using the published indicators of compromise, and monitor and investigate for suspicious activity in connected environments.
