Grubbslinger Posted December 12, 2022 Share Posted December 12, 2022 Another FortiOS Vulnerability in the wild. Definitely needs to be patched or mitigated if you are using this service. https://www.bleepingcomputer.com/news/security/fortinet-says-ssl-vpn-pre-auth-rce-bug-is-exploited-in-attacks/ 3 Link to comment Share on other sites More sharing options...
MalwareTech Posted December 12, 2022 Share Posted December 12, 2022 Deja vu (for the 15th time) Link to comment Share on other sites More sharing options...
xorroprop Posted December 12, 2022 Share Posted December 12, 2022 This seems to happen at least 5 times a year Link to comment Share on other sites More sharing options...
Chris Posted December 13, 2022 Share Posted December 13, 2022 We (Fortinet partner) got several warnings ahead from Fortinet themselves for the previous one which could be exploited if you expose the firewall's management interface into the internet. This one now can be exploited if you have SSL VPN enabled at all and we needed to gather the information from government authorities last week and no notification from the vendor yet. I wonder what Fortinet thinks their customer use on their devices? Manage them through a public IP and not using VPN at all? Link to comment Share on other sites More sharing options...
j91321 Posted December 13, 2022 Share Posted December 13, 2022 1 hour ago, Chris said: We (Fortinet partner) got several warnings ahead from Fortinet themselves If you work with Fortinet a lot I have a question you may actually be able to help with. The advisory lists filesystem artifacts that are present on exploitation, but fails to mention how do you check for these? As far as I remember (and I haven't touched a Fortinet device in a while) the CLI doesn't provide a real shell, but only the limited management shell. The only command that may be useful for checking these files is diagnose sys last-modified-files and I'm not sure if that is available on all versions of FortiOS mentioned in the advisory. Is there a way how can IR quickly check for these filesystem artifacts without the need to actually make a forensic image of the disc? Link to comment Share on other sites More sharing options...
Chris Posted December 13, 2022 Share Posted December 13, 2022 47 minutes ago, j91321 said: Is there a way how can IR quickly check for these filesystem artifacts without the need to actually make a forensic image of the disc? You are looking for the `fnsysctl` command, which hands over your command to the linux shell FG-Test # fnsysctl ls /bin -la drwxr-xr-x 2 0 0 Tue Dec 6 07:07:59 2022 3720 . drwxr-xr-x 17 0 0 Tue Dec 6 07:09:37 2022 460 .. lrwxrwxrwx 1 0 0 Tue Dec 6 07:07:52 2022 9 acd -> /bin/init lrwxrwxrwx 1 0 0 Tue Dec 6 07:07:52 2022 9 acs-sdn-change -> /bin/init lrwxrwxrwx 1 0 0 Tue Dec 6 07:07:52 2022 9 acs-sdn-status -> /bin/init lrwxrwxrwx 1 0 0 Tue Dec 6 07:07:52 2022 9 acs-sdn-update -> /bin/init lrwxrwxrwx 1 0 0 Tue Dec 6 07:07:52 2022 9 alarmd -> /bin/init lrwxrwxrwx 1 0 0 Tue Dec 6 07:07:52 2022 9 alertmail -> /bin/init lrwxrwxrwx 1 0 0 Tue Dec 6 07:07:52 2022 9 authd -> /bin/init lrwxrwxrwx 1 0 0 Tue Dec 6 07:07:52 2022 9 autod -> /bin/init 1 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now