Fortinet warns on critical SQL Injection bug after NCSC disclosure
More pre-auth RCE bugs in Fortinet appliances? Colour us shocked!
Fortinet has urged customers to patch six new vulnerabilities in its products – including two critical bugs that are remotely exploitable by an unauthenticated attacker; one of which was reported by the UK’s NCSC.
Depressingly if perhaps unsurprisingly given Fortinet’s recent run of security flaws, the one reported by the NCSC (allocated CVE-2023-48788, with a CVSS rating of 9.3) is a SQL Injection vulnerability of the kind that in theory could and should be found with some rudimentary fuzzing.
(A range of widely and freely available open source tools like SQLMap make it easy to detect and exploit SQLi vulnerabilities in code.)
Fortinet, which says it has over 730,000 customers, has not been affected financially by its products being vulnerable to a seemingly endless supply of exploitable software vulnerabilities that often put its customers at risk. Its bookings grew 8.5% to $1.9 billion in Q4, reported in February.
New Fortinet vulnerabilities
CISA noted that a “cyber threat actor could exploit some of these vulnerabilities to take control of an affected system” and advised IT adminitrators to promptly patch or mitigate the following vulnerabilities:
FR-IR-23-390: FortiClientEMS - CSV injection in log download feature
FR-IR-23-328: FortiOS, FortiProxy - Out-of-bounds Write in captive portal
FR-IR-24-013: FortiOS, FortiProxy - Authorization bypass in SSLVPN bookmarks
FR-IR-23-103: FortiWLM MEA for FortiManager - Improper access control in backup and restore features
FR-IR-24-007: Pervasive SQL injection in DAS component
As WatchTowr CEO Benjamin Harris recently noted to The Stack of VPN and other gateways from the likes of Fortinet and Ivanti: "A lot of them were built from the ground up about 15-20 years ago. Being black magical boxes that nobody really sees inside of, there hasn't been a huge amount of pressure by anyone on any vendor… people have just been buying them, truckload after truckload, and there’s a significant cost attached to them."
"You've then got organisations that aren't necessarily keeping up to date on the latest branch. You’ve got FortiOS 6, 7, 8 in production: six is like 10 years old at this point and is still being run in production..."
Fortinet appliances are widely deployed by enterprises – many of which appear to be lax at patching them. A case in point: One of the single most widely exploited CVEs in 2022 was a Fortinet vulnerability patched four years earlier (CVE-2018-13379).
Fortinet's product security also appears troublingly lax: CVE-2022-40684 was also widely exploited and let attackers gain access to “all management API endpoints"; CVE-2023-27997 meanwhile was “reachable pre-authentication (without any login needed), on every [Fortinet] SSL VPN appliance and also used to attack customers. There are well over a million devices running FortiOS on the internet and while certainly not all of those are exposed management interfaces, the number gives an indication of its ubiquity.