Immediate Patching Advised for Critical Fortinet FortiOS & FortiProxy Vulnerability
Malicious actors potentially exploited a critical vulnerability in the FortiOS and FortiProxy SSL VPN of Fortinet. The vulnerability, monitored as CVE-2023-27997, concerns a heap buffer overflow problem in FortiOS and FortiProxy SSL-VPN that could be exploited remotely, pre-authentication, to execute code through malicious requests to vulnerable gadgets. The vulnerability could be exploited even with the multifactor authentication activated.
Fortinet firewalls and VPNs are widely employed and malicious actors are actively targeting their vulnerabilities and have quickly exploited them previously. A lookup on the Shodan search engine reveals there are about 250,000 Fortinet firewalls accessible online and most of those are considered to be vulnerable. Fortinet stated it identified the vulnerability while conducting a code audit after a number of attacks in January targeting CVE-2022-42475, another zero-day vulnerability in FortiOS SSL VPN. Those attacks were associated with Volt Typhoon, the Chinese state-sponsored threat group, which is active as of the middle of 2021 and has earlier attacked critical infrastructure entities in the U.S. Fortinet hasn’t associated exploits of the lately exposed vulnerability to Volt Typhoon, however, stated the threat actor and other threat groups will probably focus on the vulnerability and that there may actually have been restricted attacks against government, critical infrastructure and manufacturing.
Fortinet released a security alert on June 12 regarding the vulnerability, which impacts almost all versions of FortiProxy and FortiOS. Patches were released to resolve the vulnerability and clients were advised to update their software to the most recent version. Fortinet stated the vulnerability is mitigated when clients aren’t operating SSL-VPN; nevertheless, all users were advised to change to the most recent firmware version irrespective.
Although it is believed there is limited exploitation of the vulnerability, threat actors could assess the patches that are released now with prior firmware versions to see what has been improved and will probably quickly find and create exploits for the vulnerability. Therefore, quick patching is highly encouraged. All users ought to be sure they have made updates to these firewall and VPN versions:
FortiOS
FortiOS version 6.0.17 or later versions
FortiOS version 6.2.14 or later versions
FortiOS version 6.4.13 or later versions
FortiOS version 7.0.12 or later versions
FortiOS version 7.2.5 or later versions
FortiOS version 7.4.0 or later versions
FortiProxy
FortiProxy version 7.0.10 or later versions
FortiProxy version 7.2.4 or later versions
FortiOS-6K7K
FortiOS-6K7K version 6.0.17 or later versions
FortiOS-6K7K version 6.2.15 or later versions
FortiOS-6K7K version 6.4.13 or later versions
FortiOS-6K7K version 7.0.12 or later versions
Patches For Another Critical Vulnerability in MOVEit Transfer Released by Progress Software
Progress Software has introduced a service pack to deal with three lately revealed vulnerabilities in its MOVEit Transfer software. An unauthenticated user could exploit remotely one vulnerability that is rated critical. As per Progress Software, vulnerability CVE-2023-36934 is a SQL injection defect that an unauthorized individual could exploit to acquire access to the MOVEit Transfer database.
The second vulnerability, tracked as CVE-2023-36932, is a second SQL injection vulnerability that has been fixed. Exploiting this vulnerability would allow an authenticated individual to obtain access to the MOVEit Transfer database, causing changes or disclosure of the MOVEit database content. The vulnerability is rated high-severity.
The third vulnerability is monitored as CVE-2023-36933 and has a high-severity rating. When exploited, the vulnerability could invoke a procedure that produces an unhandled exception making the application terminate without warning.
As of the latest security updates, there is no information about any exploitation of the three vulnerabilities in the wild yet. There are also no proof-of-concept exploits released. However, Progress Software strongly recommended prompt patching. The Clop ransomware group exploited a vulnerability, CVE-2023-34362, disclosed in May 2023 enabling the group to steal customer information from the MOVEit Transfer database. After the exploitation of that vulnerability, Progress Software carried out an audit and discovered other critical severity vulnerabilities, that had been also patched not long ago.
The affected software versions by the corresponding vulnerabilities are listed below together with the fixed software versions:
1. MOVEit Transfer 2020.0.x (12.0.x) and older were affected by vulnerabilities CVE- CVE-2023-36934 (Critical) and CVE-2023-36932 (High). Upgrade was needed to a supported MOVEit Transfer version.
2. MOVEit Transfer 2020.1.6 (12.1.6) and later versions were affected by vulnerabilities CVE- CVE-2023-36934 (Critical) and CVE-2023-36932 (High). Service pack MOVEit Transfer 2020.1.11 (12.1.11) was released.
3. MOVEit Transfer 2021.0.x (13.0.x) and older versions were affected by CVE-2023-36933 (High), CVE-2023-36932 (High), and CVE-2023-36934 (Critical). Service pack MOVEit Transfer 2021.0.9 (13.0.9) was released.
4. MOVEit Transfer 2021.1.x (13.1.x) and older versions were affected by CVE-2023-36934 (Critical), CVE-2023-36933 (High), and CVE-2023-36932 (High). MOVEit Transfer 2021.1.7 (13.1.7) service pack was released.
5. MOVEit Transfer 2022.0.x (14.0.x) and older versions were affected by CVE-2023-36934 (Critical), CVE-2023-36933 (High), and CVE-2023-36932 (High). MOVEit Transfer 2022.0.7 (14.0.7) service pack was released.
6. MOVEit Transfer 2022.1.x (14.1.x) and older versions were affected by CVE-2023-36934 (Critical), CVE-2023-36933 (High), and CVE-2023-36932 (High). MOVEit Transfer 2022.1.8 (14.1.8) service pack released
7. MOVEit Transfer 2023.0.x (15.0.x) and older versions affected by CVE-2023-36934 (Critical), CVE-2023-36933 (High), and CVE-2023-36932 (High). MOVEit Transfer 2023.0.4 (15.0.4) service pack issued.
There are various paths for resolving the most recent trio of vulnerabilities based on whether the May 2023 patch and remediation measures were employed, information of which are accessible from Progress Software. Progress Software has likewise stated that it is going to release service packs every month to enable system administrators to deal with security concerns faster and easier down the road.