U.S. Federal Government Gives Agencies Three Weeks to Patch or Mitigate
Fortinet publicly disclosed Wednesday an actively exploited vulnerability in its centralized management platform following more than a week of online chatter that edge device manufacturer products have been under renewed attack.
See Also: The Forrester Wave™: Operational Technology Security Solutions, Q2 2024
The Silicon Valley company said a flaw in FortiManager allows remote unauthenticated hackers to execute arbitrary code or commands - and that "reports have shown this vulnerability to be exploited in the wild." The U.S. Cybersecurity and Infrastructure Agency on Wednesday afternoon added the flaw to its catalog of known exploited vulnerabilities and gave federal agencies three weeks to patch or mitigate.
The flaw, tracked as CVE-2024-47575 carries a rating of 9.8 out of 10 on the CVSS scale, making its remediation urgent. Cybersecurity researcher Kevin Beaumont, who raised the prospect of a new Fortinet zero-day on Oct. 13 - and who has repeatedly criticized Fortinet for lack of transparency - christened the vulnerability "FortiJump."
Present in on-premises and cloud instances of FortiManager, the flaw takes advantage of a setting allowing any known or unknown device to connect to FortiManager. Devices need a valid certificate before the management platform will recognize them. "You can just take a certificate from a FortiGate box and reuse it. So, effectively, there's no barrier to registering," Beaumont wrote. A search for vulnerable devices exposed to the internet turned up about 60,000 of them, he added.
Once connected, Fortinet said attackers run automated scripts to exfiltrate files that contain the IP addresses, credentials and configurations of other network edge devices connected to FortiManager. The company said it has not received reports of hackers exploiting the flaw to install malware or backdoors. "To the best of our knowledge, there have been no indicators of modified databases, or connections and modifications to the managed devices."
Fortinet responded to questions about the disclosure timeline and transparency with a prepared statement that the company "promptly communicated critical information and resources to customers. This is in line with our processes and best practices for responsible disclosure to enable customers to strengthen their security posture prior to an advisory being publicly released to a broader audience, including threat actors."
It added: "We continue to coordinate with the appropriate international government agencies and industry threat organizations as part of our ongoing response."
The days leading up to Wednesday's disclosure were marked by public confusion over whether mounting concern over a new Fortinet vulnerability was sparked by a previously unknown flaw or whether it stemmed from a February flaw that the U.S. federal government warned Oct. 9 was still being actively exploited (see: Fortinet Edge Devices Under Attack - Again).
Fortinet advised customers to upgrade, although Bleeping Computer reported that not all upgrades are currently available.
The company also posted workarounds, including toggling the settings so that unknown devices can't register. Some FortiManager versions allow systems administrators to require that devices have custom certificates. "This can act as a workaround, providing the attacker cannot obtain a certificate signed by this CA via an alternate channel." Additionally, some versions allow administrators to create a whitelist of IP addresses allowed to connect to the centralized management platform.
The attackers have not been publicly attributed. Researchers spotted Chinese nation-state hackers targeting Fortinet security appliances in a campaign the Dutch National Cyber Security Center in June said was "much larger than previously known" (see: Dutch Agency Renews Warning of Chinese Fortigate Campaign).
Nation-state hacker attention to network edge devices has skyrocketed over the past two years, sparking mounting interest by researchers who have discovered that some of the appliances contain risks such as obsolete software (see: Ivanti Uses End-of-Life Operating Systems, Software Packages). "Most of the appliances are literally Linux boxes with fancy cases. They're standard Linux systems that have all of the power and capability and familiarity you get with that," security researcher Bobby Kuzma told Information Security Media Group earlier this month.