Fortinet has recently issued advisories and warnings regarding several vulnerabilities in its products, including FortiOS, FortiProxy, and FortiSwitchManager. One of the most critical vulnerabilities is a path traversal vulnerability in FortiOS (CVE-2022-41328). A privileged attacker may read and write arbitrary files via crafted CLI commands.
Threat groups have been using zero-day exploits to abuse the path traversal vulnerability targeting the government and other corporate organizations. Even though the Fortinet advisory did not mention the vulnerability to be exploited in the wild, Fortinet has released a blog post explaining that the vulnerability is being used to deploy malware, leading to OS file corruption and data loss. CISA has also added the CVE to its KEV catalog.
Affected Products:
- FortiOS version 7.2.0 through 7.2.3
- FortiOS version 7.0.0 through 7.0.9
- FortiOS version 6.4.0 through 6.4.11
- FortiOS 6.2 all versions
- FortiOS 6.0 all versions
Mitigation:
- FortiOS version 7.2.4 or later
- FortiOS version 7.0.10 or later
- FortiOS version 6.4.12 or later
Fortinet’s Investigation:
Fortinet’s investigation team found that an unauthorized modification was made to the firmware image of a device. Specifically, the file /sbin/init was altered, and a new file, /bin/fgfm, was added. This modification was designed to ensure that the file /bin/fgfm runs before regular boot-up actions, potentially allowing an attacker to gain persistent access and control of the device.
Based on the fact that all affected FortiGate devices stopped working at the same time and were compromised in the same way, the investigation team believes that the attackers likely gained access through the FortiManager device. Evidence also suggests that a path traversal exploit was attempted on a FortiGate device around the same time that scripts were executed via FortiManager.
Qualys Detection
Qualys customers can scan their devices with QID 43992 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://www.fortiguard.com/psirt/FG-IR-22-369
https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis