Unknown threat actors have exploited a security flaw in Fortinet’s FortiOS software to gain access to data, cause OS and file corruption, and potentially lead to other malicious activities.
The vulnerability, CVE-2022-41328, is a path traversal bug with a CVSS score of 6.5 that could allow a privileged threat actor to read and write arbitrary files. Fortinet researchers have stated that the complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets.
CVE-2022-41328: What Is Known about the FortiOS Vulnerability?
According to the official Fortinet advisory, CVE-2022-41328 is a vulnerability in FortiOS (‘path traversal’) that restricts a pathname to a limited directory, and may allow a privileged attacker to read and write any files by creating specific CLI commands.
Affected products include the following:
FortiOS version 7.2.0 through 7.2.3
FortiOS version 7.0.0 through 7.0.9
FortiOS version 6.4.0 through 6.4.11
FortiOS 6.2 all versions
FortiOS 6.0 all versions
Fortinet recently released patches for 15 security vulnerabilities, including CVE-2022-41328 and a serious heap-based buffer underflow impacting FortiOS and FortiProxy (CVE-2023-25610, CVSS score: 9.3). These fixes are available in versions 6.4.12, 7.0.10, and 7.2.4 respectively. After an unnamed customer experienced a “sudden system halt and subsequent boot failure” on their FortiGate devices, Fortinet suggested that the issue could have been caused by an integrity breach.
A Highly-Targeted Attack
Further investigation of the incident uncovered that the threat actors had altered the device’s firmware image to include a new payload (“/bin/fgfm”). This malware was capable of contacting a remote server, downloading files, transfering data from the hacked host, and allowing remote shell access. The modifications to the firmware also provided the attacker with continuous access and control, and even circumvented the firmware verification process at startup.
Fortinet reported that the attack was “highly targeted,” with indications pointing to governmental or state-affiliated organizations. The complexity of the exploit suggests that the attacker is highly knowledgeable about FortiOS and the underlying hardware, and has the necessary expertise to reverse engineer different components of the FortiOS operating system. It’s unclear if the threat actor is tied to another intrusion group that was observed exploiting a vulnerability in FortiOS SSL-VPN (CVE-2022-42475) in early January to install a Linux implant.