Fortinet Edge devices are under attack again

At least one security researcher says Fortinet is also facing another zero-day vulnerability that has not yet been codified by the Common Vulnerabilities and Exposures system.

The Silicon Valley firewall and VPN maker is among edge device makers that have seen a surge in attention from federal hackers over the past two years. A Chinese cyberespionage campaign against Fortigate security devices discovered by the Netherlands’ National Center for Cybersecurity in February turned out to be “much larger than previously known,” the agency warned in June.

The US federal advisory, submitted by the Cybersecurity and Infrastructure Security Agency on October 9, said hackers are actively exploiting CVE-2024-23113. The flaw allows attackers to submit a specially formatted string that crashes the custom Linux operating system that powers Fortinet devices. Hackers can insert instructions to add a user or push configuration updates into the string.

In February, Fortinet fixed the flaw, which scored a 9.8 on the CVSS scale of 10, making its application critical. Internet scans by the Shadowserver Foundation show around 88,000 vulnerable instances worldwide.

Some security researchers say the February patch doesn’t appear to have completely fixed the flaw.

“I strongly suspect that Fortinet patched it, they didn’t rigorously test the entire feature, and then someone – most likely a nation-state actor – figured out they could use a slightly modified attack to exploit the same flaw,” Bobby Kuzma said , Director of Offensive Cyber ​​Operations at ProCircular.

Indicators pointing in that direction include the sudden disappearance of proof-of-concept repositories for CVE-2024-23113 exploits from GitHub last week — evidence of cybersecurity specialists’ concerns about the flaw, Kuzma said to Information Security Media Group.

Fortinet also recommended over the weekend that its customers update their firewall rules and suggest an attack based on a specific string pattern or from a very limited set of IP addresses, he added. ISMG has not seen the notice, which a system administrator said contains “TLP:AMBER+STRICT” disclosure restrictions.

The advisory is evidence of a different vulnerability than CVE-2024-23113, security researcher Kevin Beaumont claimed on Wednesday.

If Beaumont is right – and Fortinet has not returned multiple attempts for comment – the zero day would be the latest in a series of vulnerabilities rated critical or high that Fortinet customers have had to fix this year. Of the 27 CVEs that Fortinet has registered so far this year, nearly four in 10 rate at least a 7 on the CVSS scale, including a zero-day exploited in the wild in February.

Vulnerabilities in edge devices and network infrastructure typically rank high in cybersecurity urgency, according to WithSecure in June. The number of vulnerabilities in edge devices and infrastructure that CISA warns are being actively exploited also increased significantly this year compared to last, the cybersecurity firm said.

Unlike endpoint devices, edge devices do not receive regular patch updates, Kuzma said. But they’re not necessarily difficult to exploit. “Most appliances are literally Linux boxes with fancy cases. They are standard Linux systems that have all the power, capability and familiarity that you get with them.”

Hackers have turned to edge devices because endpoints are increasingly difficult to hack – and because they often lack strict detection and logging requirements. And once hackers find their way into an edge device, most “no longer have any restriction on communicating with the rest of the network environment,” Kuzma said.