A severe stack-based buffer overflow vulnerability, classified as CWE-121, has recently emerged in several Fortinet products, most notably impacting FortiVoice systems. This zero-day flaw is being actively leveraged in the wild by malicious actors, enabling unauthenticated users to execute unauthorized commands through specially crafted HTTP requests.
"Fortinet has observed this to be exploited in the wild on FortiVoice," a representative from Fortinet disclosed, highlighting the urgency of addressing this critical issue.
"Fortinet has observed this to be exploited in the wild on FortiVoice,"
Impact and Legacy
The exploitation of this vulnerability is leading to various malicious activities. Specifically, Fortinet's Product Security Team has reported that attackers are engaging in credential harvesting by enabling FastCGI (fcgi) debugging, which captures system or SSH login credentials. Furthermore, there have been instances of log manipulation, wherein attackers erase system crash logs to obscure their actions. Additionally, network scanning is occurring, where the device network is probed for more vulnerabilities, expanding the potential impact.
Indicators of Compromise (IoCs) linked to these exploits include a range of malicious IP addresses such as 198.105.127.124 and 43.228.217.173, alongside modified system files and the introduction of cron jobs intended to siphon sensitive information from affected systems.
The flaw affects multiple Fortinet products across various versions, underscoring the extensive reach of this vulnerability. A detailed overview of the affected products and their recommended remedies can be seen below:
By the Numbers
By the Numbers
By the Numbers
| Product | Affected Versions | Solution | |---------------|--------------------------|----------------------------------------| | FortiCamera | 2.1.0–2.1.3 | Upgrade to 2.1.4 or above | | | 2.0, 1.1 (all versions) | Migrate to a fixed release | | FortiMail | 7.6.0–7.6.2 | Upgrade to 7.6.3 or above | | | 7.4.0–7.4.4 | Upgrade to 7.4.5 or above | | | 7.2.0–7.2.7 | Upgrade to 7.2.8 or above | | | 7.0.0–7.0.8 | Upgrade to 7.0.9 or above | | FortiNDR | 7.6.0 | Upgrade to 7.6.1 or above | | | 7.4.0–7.4.7 | Upgrade to 7.4.8 or above | | | 7.2.0–7.2.4 | Upgrade to 7.2.5 or above | | | 7.0.0–7.0.6 | Upgrade to 7.0.7 or above | | | 7.1, 1.5, 1.4, 1.3, ... | Migrate to a fixed release | | FortiRecorder | 7.2.0–7.2.3 | Upgrade to 7.2.4 or above | | | 7.0.0–7.0.5 | Upgrade to 7.0.6 or above | | | 6.4.0–6.4.5 | Upgrade to 6.4.6 or above | | FortiVoice | 7.2.0 | Upgrade to 7.2.1 or above | | | 7.0.0–7.0.6 | Upgrade to 7.0.7 or above | | | 6.4.0–6.4.10 | Upgrade to 6.4.11 or above |
In response to this vulnerability, Fortinet has proposed a temporary workaround by advising users to disable the HTTP/HTTPS services on affected devices. However, this is a short-term solution, and organizations must prioritize updating their systems to the latest versions as recommended.
As cyber threats continue to evolve, the importance of swiftly addressing vulnerabilities cannot be overstated. Organizations using Fortinet products are urged to take immediate action to protect their systems against these emerging threats.