Fortinet Secure Web Gateway Takeover: Uncovering the implications of this cybersecurity event and its impact on online security.
The latest Fortinet bug is a critical heap buffer overflow that can lead to RCE. It affects FortiGate firewalls, FortiProxy web proxies and FortiSwitch Manager. This is a serious bug with a CVSS v3 score of 10. It is exploitable without authentication and can take over the device. Some workarounds are available.
1. Remote Code Execution
When an attacker discovers a vulnerability in a network, the attack may involve remote code execution (RCE). RCE vulnerabilities allow an attacker to remotely execute malicious code. Typically, attackers target public web applications to exploit RCE vulnerabilities. These attacks can lead to a variety of problems, from data breaches like the one at Equifax to malware monetization schemes such as cryptojacking.
There are multiple ways that an attacker can achieve remote code execution, but they all rely on one basic idea: dynamic code generation. Most programming languages are designed to generate code at runtime based on user input. This is a great idea and handles many complex issues, but it can also be used by malevolent attackers to gain RCE access and capabilities.
Several different methods can lead to RCE, but two of the most common are injection and out-of-bounds write attacks. Injection attacks involve delivering user-supplied data to an application, which triggers a vulnerable function. For example, an attacker can inject a vulnerability into a web application through a search field or by exploiting a flaw in a plugin or library. The attack can be server-side or client-side and can cause different types of RCE, including remote code evaluation, remote code execution, or denial of service.
Out-of-bounds write attacks occur when an application writes user-supplied data outside of an allocated buffer. This is often triggered by memory allocation flaws or by using an input format that can be interpreted as executable code. For example, attackers can use an out-of-bounds write vulnerability in a Java logging library such as Log4j to execute malicious code on servers that use this library.
Once an attacker has gained RCE access to a web application, they can steal user data or use the system to perform other activities. The most common follow-up to a successful RCE attack is installing a “web shell,” which gives an attacker a backdoor to control the gateway and its connected users.
MSPs can reduce the risk of RCE attacks by keeping software and applications up to date, conducting regular penetration testing, and adopting secure coding practices. In addition, they should be on the lookout for security updates from their vendors that defend against new threat types.
2. Denial of Service
Denial of service attacks typically focus on making a web site, application or server unavailable for the purpose it is designed to serve. This can be accomplished in many ways, including manipulating network packets, programming or logical vulnerabilities, and resource handling issues. A recent critical flaw in DrayTek routers allows remote attackers to completely take over vulnerable devices. This attack was achieved by exploiting a buffer overflow in the router’s management interface and has a CVSS v3 severity score of 10 (out of 10.) Fortinet is also dealing with a big vulnerability in its FortiOS software that has been seen in the wild. The bug enables a bad guy to execute unauthorized code or commands on Fortinet firewalls and FortiProxy web proxies. These devices automatically shut themselves down to stop the threat after a firmware integrity check fails.
Zyxel just released three security advisories to fix a clump of different flaws found by multiple security companies. One of the flaws is a high-severity unauthenticated buffer overflow that affects a variety of their firewall models. The other clump of fixes addresses several medium-severity flaws ranging from local file disclosure to privilege escalation. The last of the clump of flaws involves a bug in their BFD (Bidirectional Forwarding Detection) processing. The hardware line card process will fail to detect failures if not accelerated properly.
This problem involves a race condition in the open-source FreeRDP software that is used in some of these firewalls and APs. Essentially, it takes advantage of the fact that the guacd process, which manages RDP connections, only handles a single connection at a time and does not have privilege escalation protection. To exploit the bug, an attacker needs to create an exploit chain with information-disclosure flaws, a memory corruption issue and privilege exploitation. Thankfully, there is a workaround for this one.
3. Unauthenticated RCE
RCE attacks are the most dangerous form of vulnerabilities because they provide attackers with complete access and control of a compromised device. They can lead to denial of service, information disclosure, and more. RCE attacks are often leveraged by attackers to install and execute malware, such as ransomware. RCE attacks are one of the primary reasons that organizations should deploy comprehensive network security solutions with capabilities such as threat detection, sandboxing, and endpoint protection.
To attack a device with RCE, bad guys must gain an initial foothold in the target network. This usually occurs through a publicly-facing vulnerability in an application. Attackers can then use this foothold to expand their access and execute more damaging attacks. For example, in the WannaCry ransomware worm attack in 2017, attackers exploited a vulnerability in Server Message Block (SMB) to gain remote code execution on vulnerable machines and encrypt valuable files.
Attackers need a range of different tools to successfully execute an RCE attack. These include web applications, programming languages, and operating systems. For instance, an attacker might take advantage of a Java deserialization vulnerability to get full control over a system by injecting malicious code into it. To avoid these vulnerabilities, organizations should implement application and database whitelisting and ensure that they validate and sanitize user input to prevent injection attacks.
Unauthenticated RCE attacks also occur when an attacker exploits memory security issues in a running application or equipment. These vulnerabilities can be caused by software bugs or hardware configuration blemishes.
In addition to the above, unauthenticated RCE vulnerabilities are typically caused by a lack of secure password or token management and can be exploited remotely without user interaction. This is a common issue that can be prevented by requiring users to choose strong passwords, implementing two-factor authentication, and ensuring that devices are locked down to only allow trusted connections from approved sources.
Unauthenticated RCE vulnerabilities can impact a wide range of products and are particularly damaging when combined with other types of vulnerabilities. For instance, a recent vulnerability in the SMA 100 series and SRA 200 series from SonicWall that allows for remote code execution can be used with other exploits to perform cross-site request forgery (CSRF) attacks and create persistent root privileges on the device. To protect against these types of risks, apply updates per vendor instructions and disconnect devices that are reaching end-of-life.
4. Information Disclosure
Disclosing confidential information to parties not authorized to see it may seem trivial, but the knowledge attackers gain from such security flaws can be used in later stages of an attack. For instance, if a flaw in an SAP system allows unauthorized users to read sensitive data stored in the database management layer, that knowledge can be used later on to attack or compromise the SAP system.
This month Fortinet issued a patch for a critical vulnerability in their FortiOS software, a memory corruption bug that allows bad guys to remotely take over SSL VPN devices running FortiGate firewalls, FortiProxy web proxies and FortiSwitch Manager. They also released a warning that bad guys are actively exploiting unpatched end-of-life SonicWall SRA 100 series and SMA 8.x remote access devices to push ransomware onto networked environments. These products are end-of-life and should be disconnected or replaced if they’re still in use.
A wormable critical vulnerability was recently disclosed in the open source muhttpd web server, which is used by routers and other IoT devices from Arris, Buffalo, D-Link, Edimax, Hikvision, Netgear, Rockspace and Zyxel among many others. The problem is that the eCOS operating system on these devices doesn’t have any concept of privileges and every thread has access to every memory location. This can be exploited to gain root access, which can lead to unauthenticated RCE.
The issue affects a large number of IoT devices using the Realtek RTL819xD System on a Chip and was revealed at DEFCON by cybersecurity company Faraday Security. The bug allows a malicious user to obtain a device’s username and password via brute force, gaining access even without a valid certificate. It can be exploited to execute arbitrary code or to create a new account with admin privileges.
Getting rid of old kit is one way to avoid these problems but you should also audit your code for vulnerabilities like this and make sure that it doesn’t reveal confidential information that could be useful to attackers in future attacks. For instance, you can use a tool like Netsparker to check for any possible sensitive comments in your code or that the error messages your web server generates don’t reveal too much technical detail about the backend technology used.
