Australian organizations using Fortinet products have been advised to take swift action in response to a recent advisory alert issued by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC). The alert, geared towards technical users within both private and public sectors, highlights the active exploitation of previously known vulnerabilities within Fortinet devices.
Malicious actors have been observed exploiting older, unpatched vulnerabilities in order to gain unauthorized access to Fortinet devices. Despite patches being released in the past, many devices were either not updated in a timely manner or fell victim to attacks before security fixes could be implemented.
The latest findings from Fortinet indicate that threat actors are actively targeting three specific vulnerabilities within Fortinet devices:
1. FG-IR-24-015: Out-of-bounds write vulnerability in sslvpnd.
2. FG-IR-23-097: Heap buffer overflow during SSL VPN pre-authentication.
3. FG-IR-22-398: Heap-based buffer overflow in sslvpnd.
These vulnerabilities impact the SSL VPN component in Fortinet’s FortiGate devices, commonly utilized by businesses for secure remote access. Despite previous patches being released to address these vulnerabilities, a new technique has emerged where attackers can maintain read-only access to devices even after the original security flaws have been patched. This access is facilitated through the insertion of a symbolic link that connects user and root filesystems via a folder used for serving language files in the SSL VPN. This method evades detection and enables attackers to access potentially sensitive information such as device configurations.
It is important to note that devices without SSL VPN enabled are not affected by these vulnerabilities. Organizations that have not updated their Fortinet devices to the latest secure versions are particularly vulnerable. Additionally, devices that were compromised prior to patching may still be at risk due to remnants of the attacker’s access method. This threat is not specific to any particular region or industry, prompting all sectors to conduct thorough assessments of their environments.
Fortinet’s investigation, which was supported by internal monitoring and collaboration with third-party organizations, led to the discovery of this post-exploitation technique. This discovery prompted Fortinet’s Product Security Incident Response Team (PSIRT) to develop countermeasures and notify affected customers. This incident serves as a poignant reminder that known vulnerabilities, especially when left unpatched, remain a lucrative target for threat actors.
The ASD’s ACSC strongly advises organizations to upgrade all Fortinet devices to the latest secure versions and review configurations on affected devices for signs of modification or compromise. It is also recommended to investigate environments for any suspicious behavior or anomalies in device logs. Fortinet has taken proactive measures to help customers secure their environments and prevent further exploitation of these vulnerabilities, including releasing updated AV/IPS signatures and enhancing FortiOS versions.
Customers upgrading to the latest FortiOS versions will benefit from enhanced security features such as virtual patching for interim protection, firmware integrity validation at the BIOS level, and filesystem integrity monitoring. These enhancements are part of Fortinet’s commitment to cybersecurity best practices and responsible transparency.
This incident underscores the importance of timely patching and maintaining strong cyber hygiene to defend against known and emerging threats in today’s ever-evolving threat landscape. With the increasing number of vulnerabilities reported each year, staying vigilant and proactive in managing security updates has become an essential practice for all IT environments.