The US authorities are urging Fortinet customers to patch three legacy vulnerabilities being exploited in the wild to compromise government, commercial and technology service provider networks.
A joint cybersecurity advisory from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) on Friday warned that threat actors are actively scanning for devices via ports 4443, 8443 and 10443, with the potential end goals of data theft or ransomware deployment.
“The FBI and CISA believe the APT actors are likely exploiting these Fortinet FortiOS vulnerabilities — CVE 2018-13379, CVE-2020-12812, and CVE-2019-5591 — to gain access to multiple government, commercial and technology services networks,” it said.
“The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors, to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks. APT actors may use other CVEs or common exploitation techniques — such as spear-phishing — to gain access to critical infrastructure networks to pre-position for follow-on attack.”
Patches for the first two vulnerabilities have been available since May and July 2019, while the third was fixed by Fortinet in July last year.
CVE 2018-13379 is a patch traversal flaw which allows unauthenticated attackers to download system files, while CVE-2020-12812 is an improper authentication vulnerability in SSL VPN which allows users to log-in without being prompted for a second factor if they change their username case. Both have a CVSS score of 9.8, meaning they’re classed as “critical.”
CVE-2019-5591 is a default configuration vulnerability in FortiOS which could allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server. It has a score of 7.5, making it a high severity bug.
Fortinet said it had repeatedly urged customers to patch the offending vulnerabilities over the past couple of years.