US agencies warn that advanced persistent threat groups are exploiting Fortinet FortiOS vulnerabilities to compromise government and commercial organizations that use it. Last week, the FBI and the US Cybersecurity Infrastructure Security Agency (CISA) warned in a PDF that cybercriminals are scanning systems that haven’t been patched.
Fortinet FortiOS is the operating system underpinning Fortinet Security Fabric. It is a solution designed to improve security for enterprises, cover endpoints, cloud deployments, and centralized networks.
The three severe vulnerabilities patched are registered as CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.
The thing about these flaws is that they are known and patches for them have been provided. The patches are only useful if they are applied by the IT admins who use the OS, otherwise, it will remain open to exploitation.
The CVE-2018-13379 flaw was rated 9.8/10 on the severity scale. It affects the FortiOS SSL VPN portal and can allow unauthenticated attackers to download system files using HTTPS requests.
The CVE-2020-12812 vulnerability also got a 9.8/10 rating because of its improper authentication issues. Users can log in without being prompted to provide second-factor authentication if they change the case of their username.
The final flaw
Finally, we have CVE-2019-5591 which is rated 7.5/10. The vulnerability is a default configuration problem with FortiOS 6.2.0 and below that allows unauthenticated hackers on the same subnet, to intercept data by pretending to be an LDAP server.
IT admins running these OSes are encouraged to find out from FortiOs whether their versions are affected and patch them to stay safe.
The advisory says that APTs are particularly focused on open and vulnerable systems run by government agencies, tech companies, and other crucial commercial services.