Nynox advisory - Threat alert -
Fortinet - Critical Pre-Authentication Remote Code Execution vulnerability found in FortiOS
– Date: 11 June 2023 –
On June 11th, Fortinet issued a new firmware patch fixing an undisclosed pre-authentication remote code execution vulnerability in their FortiOS SSL-PVN. For now there is no extra information that is published by Fortinet. This will be disclosed tomorrow so keep an eye out on their PSIRT page: https://www.fortiguard.com/psirt
What is this about?
❗️An attacker is able to exploit this vulnerability of the SSL-VPN before any authentication occurs. And yes, even with MFA activated.
❗️As of writing this post not much information is available but if an attacker was successful in exploiting this vulnerability, it is possible for them to execute arbitrary code remotely bypassing authentication.
WHY IS THIS VULNERABILITY SERIOUS?
⚠️ SSL VPN Service is one of the most used functionalities in Fortinet Firewalls to provide remote access to employees and collaborators.
⚠️ Because of the popularity of FortiOS devices and many of them being exposed to the Internet, which makes them an extremely popular target.
How does Nynox protect its customers?
🛡️ 24×7 monitoring of customer environments
🛡️ Free threat hunting for SOC customers based on the indicators for this attack
🛡️ Personalized assistance to mitigate the risk
🛡️ 24×7 Incident Response (CSIRT) in case of compromise
WHAT CAN YOU DO TO MITIGATE THE RISK?
✅ Update your FortiOS to the versions below:
But what if you can’t?
✅ Disable the SSL-VPN entirely.
✅ Only allow connections from authorized IP addresses.
✅ Monitor logs for any sign of malicious activity.