This live blog contains information regarding the Fortinet RCE vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on March 14, 2023.
Update March 14, 2023
On the 7th of March 2023, Fortinet published an Advisory in which they describe CVE-2022-41328. This vulnerability is an improper limitation of a pathname to a restricted directory also known as path traversal in FortiOS allowing a privileged attacker to read and write arbitrary files via crafted CLI commands.
Unknown attackers possibly exploited CVE-2022-42475 or CVE-2023-25610 to get privileges required to abuse CVE-2022-41328. This later vulnerability was used this month in attacks targeting government and large organizations that have led to OS and file corruption and data loss.
The vulnerability exists in the following products:
- FortiOS version 7.2.0 through 7.2.3
- FortiOS version 7.0.0 through 7.0.9
- FortiOS version 6.4.0 through 6.4.11
- FortiOS 6.2 all versions
- FortiOS 6.0 all versions
Fortinet has published updates patching the vulnerability. It is strongly advised to upgrade as soon as possible.
- Please upgrade to FortiOS version 7.2.4 or above
- Please upgrade to FortiOS version 7.0.10 or above
- Please upgrade to FortiOS version 6.4.12 or above
Fortinet published an analysis into the incident and provides IoCs identified during their ongoing analysis. It is recommended to validate your systems against the following indicators of compromise:
System/Logs
- String “execute wireless-controller hs20-icon upload-icon”
- String “User FortiManager_Access via fgfmd upload and run script”
Network
- 47.252.20.90
File Hashes
- Auth – b6e92149efaf78e9ce7552297505b9d5
- Klogd – 53a69adac914808eced2bf8155a7512d
- Support – 9ce2459168cf4b5af494776a70e0feda
- Smit – e3f342c212bb8a0a56f63490bf00ca0c
- Localnet – 88711ebc99e1390f1ce2f42a6de0654d
- Urls.py – 64bdf7a631bc76b01b985f1d46b35ea6
- Views.py – 3e43511c4f7f551290292394c4e21de7
- Fgfm – e2d2884869f48f40b32fb27cc3bdefff
Call to action
- Determine if your Fortinet product(s) is/are vulnerable;
- Apply the available software patches;
- Analyse the log files of the devices for indicators of exploitation;
- Analyse log files of other security solutions for indicators of exploitation;
- Contact Fortinet Customer Support, Tesorion-SOC or Tesorion-CERT in case indicators of exploitation are identified or if assistance is required.
If any suspicious or malicious activity is detected in relation to this article, please contact T-CERT. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.
More information:
- Fortinet PSIRT Advisory: https://www.fortiguard.com/psirt/FG-IR-22-369
- Fortinet Analysis of FG-IR-22-369 https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis
Reason and background of this blog
This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.
Vulnerability information
On the 7th of March 2023, Fortinet published an advisory in which they describe CVE-2023-25610. This vulnerability is a heap buffer underflow in the FortiProxy administrative interface allowing an unauthenticated attacker to execute arbitrary code and/or perform a DoS on the GUI, via specifically crafted requests.
It is advised to apply the security patches as soon as possible. Fortinet is not aware of active exploitation in the wild.
Potential Risk
CVE-2023-25610 allows an unauthenticated attacker to execute arbitrary code and/or perform a Dos on the GUI, via specifically crafted requests. The vulnerability has a CVSSv3-score of 9.3. The CVSS scale runs from 0 to 10. A score of 9.3 or higher is rare and implies a high risk of exploitation with high impact.
Fortinet is not aware of active exploitation in the wild.
Detail info
The vulnerability exists in the following products:
- FortiOS version 7.2.0 through 7.2.3
- FortiOS version 7.0.0 through 7.0.9
- FortiOS version 6.4.0 through 6.4.11
- FortiOS version 6.2.0 through 6.2.12
- FortiOS 6.0 all versions
- FortiProxy version 7.2.0 through 7.2.2
- FortiProxy version 7.0.0 through 7.0.8
- FortiProxy version 2.0.0 through 2.0.12
- FortiProxy 1.2 all versions
- FortiProxy 1.1 all versions
Fortinet has published updates patching the vulnerability. It is strongly advised to upgrade as soon as possible.
- FortiOS version 7.4.0 or above
- FortiOS version 7.2.4 or above
- FortiOS version 7.0.10 or above
- FortiOS version 6.4.12 or above
- FortiOS version 6.2.13 or above
- FortiProxy version 7.2.3 or above
- FortiProxy version 7.0.9 or above
- FortiProxy version 2.0.12 or above
- FortiOS-6K7K version 7.0.10 or above
- FortiOS-6K7K version 6.4.12 or above
- FortiOS-6K7K version 6.2.13 or above
Fifty models listed in the security advisory are not impacted by the arbitrary code execution component of the vulnerability, but only the DoS part, even if they run the vulnerable FortiOS version. The list of fifty models can be found in the security advisory: https://www.fortiguard.com/psirt/FG-IR-23-001.
When the patch cannot be applied, a workaround is available by disabling the HTTP/HTTPS administrative interface or by limiting the IP addresses that can reach the administrative interface.
If any suspicious or malicious activity is detected in relation to this article, please contact T-CERT. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.
Sources
More information:
- Fortinet PSIRT Advisory: https://www.fortiguard.com/psirt/FG-IR-23-001
- NCSC Advisory: https://www.ncsc.nl/actueel/advisory?id=NCSC-2023-0117
Subscribe
Do you want to be informed in time? Sign up for our technical updates
Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.
Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.