top of page
Heighten CORE Member

Fortinet Remote Access Trojan and February Vulnerability Announcement

Fortinet has issued a warning about the importance of patching critical vulnerabilities in edge network appliances. This coincides roughly with the February PSIRT advisories including 2 critical vulnerabilities in FortiOS, the operating system that is in FortiGate and FortiWiFi Appliances. These new vulnerabilities are found in the FortiManager Control Daemon (fmgmd) and SSL VPN Services found on FortiGate and FortiWifi appliances.


Only a couple of days before this announcement, The National Cyber Security Center for the Netherlands issued an advisory regarding a Remote Access Trojan named COATHANGER, that has been designed specifically for FortiGate appliances. The advisory indicates that the information is a result of an intrusion discovered by the Netherlands’ Ministry of Defense due to an intrusion that occurred in 2023. The malware is designed to be persistent and is difficult to detect. The advisory further makes claims that the malware can survive reboots and firmware upgrades and was sourced from Chinese Nation State actors. The embassy for the People’s Republic of China in the Kingdom of the Netherlands issued this statement in response.


The document produced by the Netherlands’ Ministry of Defense, as well as Fortinet’s article both include IOCs for detecting the presence of the malware on suspect appliances. There is no indication in the document, nor in Fortinet’s PSIRT advisory as to whether the threat actors responsible for COATHANGER were leveraging the most recently announced vulnerabilities, older vulnerabilities that have already been patched, or as of yet unknown vulnerabilities. However, the evidence of a specific RAT designed to infect and persist on FortiGate appliances is further indication that all edge firewall appliances should be patched immediately.


To mitigate the risk of these vulnerabilities, we strongly recommend that you patch to a remediated firmware release immediately.


Vulnerability In FortiManager access in FortiGates

Fortinet PSRIT Link: Format String bug in fgfmd

The Vulnerability in fgfmd would allow an unauthenticated attacker to send a specially formatted packet to an exposed service and execute arbitrary commands or code. This vulnerability can be mitigated by ensuring that FortiManager service access is not enabled on any publicly facing interfaces on a fortigate.


You can find interfaces that have fgfm enabled by checking the UI for any lines that have “FMG-Access” enabled in the administrative access column


Fortinet Remote Access Trojan and February Vulnerability Announcement

Alternatively, you can run “show system interface | grep -f fgfm” from the command line to find all interfaces with the fortimanager access enabled.

To resolve the issue properly, upgrade to an unaffected version:

·       FortiOS >= 7.4.3

·       FortiOS >= 7.2.7

·       FortiOS >= 7.0.14


Vulnerability in SSL VPN service

Fortinet PSRIT Link: Out-of-bound write in sslvpnd

The vulnerability in the sslvpnd service allows for unauthenticated attackers to execute remote code. Due to the nature of the service the vulnerability is in, it is highly likely that many Fortigates have vulnerable versions of this service published and exposed to the internet. Fortinet is also asserting that it is highly likely that this vulnerability is being exploited in the wild.

To remediate this vulnerability, it is recommended that you upgrade to a nonaffected version. If you are unable to upgrade immediately, it is recommended to disable SSL VPN entirely (not just the web portal). Unaffected versions to upgrade to are listed below:

·       FortiOS 7.6 is UNAFFECTED

·       FortiOS >= 7.4.3

·       FortiOS >= 7.2.7

·       FortiOS >= 7.0.14

·       FortiOS >= 6.4.15

·       FortiOS >= 7.2.16

·       FortiOS 6.0 – All versions are affected. Disable SSL VPN and upgrade as soon as possible

 

 

The Heighten Security CORE team is comprised of Fortinet-certified professionals who are readily available to assist you in understanding how these vulnerabilities can impact your organization. For help mitigating this security threat and or any other threats in your environment, please contact us at contactus@hi10.io.



 


18 views0 comments

Comentarios


bottom of page