Nearly two weeks after sending the first private notifications to customers about a zero day in many of its products that was under active attack, Fortinet is still reaching out to customers who have not updated their vulnerable devices yet and attackers are continuing to expand their exploit attempts.
On Oct. 6 Fortinet sent a confidential email to customers who had devices affected by an authentication bypass vulnerability (CVE-2022-40684), warning them that there had been at least one exploit targeting the bug. The company also notified the Cybersecurity and Infrastructure Security Agency (CISA) and other agencies about the bug and exploit attempt, and on Oct. 10 published an advisory and updates for the affected products, which include FortiOS, FortiProxy, and FortiSwitchManager.
But despite the warnings and availability of public exploit code, many organizations have not yet updated their vulnerable devices.
“After multiple notifications from Fortinet over the past week, there are still a significant number of devices that require mitigation, and following the publication by an outside party of POC code, there is active exploitation of this vulnerability. Based on this development, Fortinet again recommends customers and partners take urgent and immediate action as described in the public Advisory,” Carl Windsor of Fortinet’s Product Security Incident Response Team said in a blog post.
“Fortinet recommends that customers validate their configuration to ensure that no unauthorized changes have been implemented."
It’s not unusual for enterprises to wait to install updates, even ones that fix actively exploited vulnerabilities. This is particularly true in the case of security products, as security teams are loathe to take them offline unless it’s absolutely necessary. Organizations often will wait for scheduled maintenance windows to install updates. But with active exploitation happening and public exploit code available, the risk of waiting to install the Fortinet update is significant. Fortinet began seeing expanded exploit attempts immediately after the initial customer notification went out on Oct. 6, and those attempts have ramped up since.
“Fortinet provided customers with an early confidential notification to enable this issue to be remediated before the vulnerability became public. As soon as it did, threat actors began to exploit the issue. As can be seen from one of our honeypot systems following the initial confidential notification, threat actors began to scan the internet for devices, exploit the vulnerability to download configuration, and also install malicious administrator accounts,” Windsor said.
GreyNoise, which tracks attack traffic and scanning activity, has seen 233 distinct IP addresses attempting to exploit the Fortinet vulnerability since Oct. 13. The Fortinet PSIRT recommends that organizations that can’t install updates at the moment disable the HTTP/HTTPS admin interface as a workaround.
“Fortinet recommends that customers validate their configuration to ensure that no unauthorized changes have been implemented by a malicious third party, regardless of whether they have upgraded,” Windsor said.