The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have released a Joint Cybersecurity Advisory (CSA) to warn users and administrators of active exploits targeting three susceptibilities in Fortinet FortiOS. Fortinet FortiOS is an operating system designed to improve enterprise security and it enables secure networks, endpoints, and clouds to keep the user safe from vulnerabilities and threats.
According to the advisory, these three unpatched vulnerabilities in Fortinet FortiOS platforms belong to technology services, government agencies, and other private sector bodies. The advanced persistent threat (APT) actors are targeting the vulnerabilities CVE-2018-13379, a path traversal vulnerability (CVSS base score of 9.8); CVE-2020-12812, an improper authentication flaw (CVSS base score of 9.8) and CVE-2019-5591, a default configuration vulnerability (CVSS base score of 7.5) which were initially revealed in 2019.
The attackers have specifically exploited the vulnerability CVE-2018-13379 since its discovery in 2018. In 2019, nation-state hackers exploited the flaw and targeted the U.S. National Security Agency. Last year in October, a joint CISA/FBI advisory regarding federal, state, and local U.S. government networks being targeted mentioned the flaw.
“The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks. APT actors may use the other CVEs or common exploiting techniques – such as spear-phishing – to gain access to critical infrastructure networks to pre-position for follow-on attacks,” the advisory read.
Carl Windsor, Fortinet field chief technology officer responded to the joint advisory by stating that Fortinet has already patched the flaws and is educating the customers regarding the vulnerabilities.
“The security of our customers is our first priority. CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a PSIRT advisory and communicated directly with customers and via corporate blog posts on multiple occasions in August 2019 and July 2020 strongly recommending an upgrade. Upon resolution we have consistently communicated with customers, as recently as late as 2020,” he further stated.