Chinese hackers and Fortinet vulnerabilities: Warnings from US government

For several years in a row, the Californian manufacturer Fortinet has been in the public focus due to serious security problems. Known for its secure firewall, VPN and intrusion detection devices, the cyber security expert was again forced to announce several highly critical security vulnerabilities in February 2024.

Staying informed and applying patches promptly is what companies need to proactively protect themselves against such attacks. Products such as Greenbone’s Enterprise Appliances play a central role in this and are meant to help admins. All the vulnerabilities mentioned in this blog post are covered by tests from the Greenbone Enterprise Feed: active procedures check whether the exploit is possible, and versioning tests will deliver results about the success of patch management.

87,000 passwords: Fortinet wins “Vulnerability of the Year 2022”

In 2019, CVE-2018-13379 (CVSS 9.8) allowed over 87,000 passwords for the Fortinet VPN to be read from the devices. In the following years, this vulnerability was exploited so successfully that in 2022 it was awarded the dubious title of “most exploited vulnerability of 2022“. The US authorities reacted and urged all of their clients to be more aware of the problem: Both U.S. Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) warned about the fact that many customers did not apply patches promptly. Again, lack of foresight turned out to be one of the main reasons. Patching, so the agencies, would have prevented many of successful attacks.

2023: Unwanted guests in critical networks

What makes it worse, is the fact that Fortinet devices are mostly being used in security-critical areas. Unpatched and equipped with serious vulnerabilities, such devices have become the focus of attackers in recent years, especially by state actors. In 2023, for example, Chinese hacker groups successfully infiltrated Dutch military networks via a vulnerability in the FortiOS SSL VPN from December 2022 that actually had already been patched for a while (CVE-2022-42475, CVSS 9.3).

Even though the network was only used for research and development according to the Military Intelligence and Security Service (MIVD), the attacks published at the beginning of February made it clear how easy it is for attackers to penetrate even highly protected networks. Even worse so, the corresponding backdoor “Coathanger” allows attackers to gain permanent access to devices once they have been hacked, all thanks to the vulnerability 2022-42475, which allows the execution of arbitrary code.

February 2024: Warnings of further vulnerabilities, maximum severity

Unfortunately, the story does not end here: Fortinet also had to admit another serious vulnerability, beginning of February 2024: CVE-2024-21762 (CVSS score: 9.6) allows unauthorized attackers to execute arbitrary code via specially adapted requests. A long list of versions of the Fortinet operating system FortiOS and FortiProxy are affected. The manufacturer advises upgrading or deactivating the SSL VPN and warns of both the severity of the vulnerability and the fact that it is already being massively exploited by attackers.

Fortinet seemed to have some organizational issues, too. Just as bad as the above sounded CVE-2024-23108 and CVE-2024-23109, published just a few days later, which also allow unauthenticated attackers to execute arbitrary code. However, these CVEs have to be taken with a grain of salt: The fact that two CVEs from the same manufacturer received a 10.0 on the threat severity scale on the same day is probably unique and raised some experts’ eyebrows. Apart from that, the confusing communication from the vendor was not really likely to establish or further trust, similarly to the strange story of toothbrush-based attacks told by a Fortinet employee, reaching the mass media at the same time.

Fatal combination – vulnerability management can help

As always, Fortinet published patches promptly, but customers also have to install them. Again, the combination of serious security vulnerabilities, lack of awareness and the absence of patches showed its full impact: Only a few days later the US government pushed out another advisory from CISA, NSA and FBI about Volt Typhoon, a Chinese state hacker group. The US government had evidence that these attackers have permanently nested in critical infrastructure of US authorities for many years via such vulnerabilities – the associated risks should not be underestimated, according to the warning.

The security by design required there also includes the constant monitoring of one’s own servers, computers and installations with vulnerability tests such as those of Greenbone Enterprise Appliances. Those who constantly monitor their networks (not just Fortinet devices) with the vulnerability tests of a modern vulnerability scanner can inform their administrators as quickly as possible if known CVEs in an infrastructure are waiting for patches, reducing the attack surface.