News

WHAT, ME WORRY? — A world of hurt for Fortinet and Zoho after users fail to install patches Attackers are capitalizing on organizations’ failure to patch critical vulnerabilities.

Dan Goodin – Feb 23, 2023 10:11 pm UTC Enlarge reader comments 14 with Share this story Share on Facebook Share on Twitter Share on Reddit

Organizations around the world are once again learning the risks of not installing security updates as multiple threat actors race to exploit two recently patched vulnerabilities that allow them to infect some of the most critical parts of a protected network.

The vulnerabilities both carry severity ratings of 9.8 out of a possible 10 and reside in two unrelated products crucial in securing large networks. The first, tracked as CVE-2022-47966, is a pre-authentication remote code execution vulnerability in 24 separate products from software-maker Zoho that use the companys ManageEngine. It was patched in waves from last October through November. The second vulnerability, CVE-2022-39952, affects a product called FortiNAC, made by cybersecurity company Fortinet, and was patched last week.

Both ManageEngine and FortiNAC are billed as zero-trust products, meaning they operate under the assumption a network has been breached and constantly monitor devices to ensure theyre not infected or acting maliciously. Zero-trust products dont trust any network devices or nodes on a network and instead actively work to verify theyre safe. 24 Zoho products affected

ManageEngine is the motor that powers a wide range of network management software and appliances from Zoho that perform core functions. AD Manager Plus, for instance, helps admins set up and maintain the Active Directory, the Windows service for creating and deleting all user accounts on a network and delegating system privileges to each one. Password Manager Pro provides a centralized digital vault for storing all of a networks password data. Other products enabled by ManageEngine manage desktops, mobile devices, servers, applications, and service desks.

CVE-2022-47966 allows attackers to remotely execute malicious code by issuing a standard HTTP POST request that contains a specially crafted response using the Security Assertion Markup Language. (SAML, as its abbreviated, is an open-standard language identity providers and service providers use to exchange authentication and authorization data.) The vulnerability stems from Zohos use of an outdated version of Apache Santuario for XML signature validation. Advertisement

In January, roughly two months after Zoho patched the ManageEngine vulnerability, security firm Horizon3.ai published a deep dive analysis that included proof-of-concept exploit code. Within a day, security firms such as Bitdefender began seeing a cluster of active attacks from multiple threat actors targeting organizations worldwide that still hadnt installed the security update.

Some attacks exploited the vulnerability to install tools such as the command line Netcat and, from there, the Anydesk remote login software. When successful, the threat actors sell the initial access to other threat groups. Other attack groups exploited the vulnerability to install ransomware known as Buhti, post-exploitation tools such as Cobalt Strike and RAT-el, and malware used for espionage.

This vulnerability is another clear reminder of the importance of keeping systems up to date with the latest security patches while also employing strong perimeter defense, Bitdefender researchers wrote. Attackers don’t need to scour for new exploits or novel techniques when they know that many organizations are vulnerable to older exploits due, in part, to the lack of proper patch management and risk management.

Zoho representatives didnt respond to an email seeking comment for this post. FortiNAC under massive attack

CVE-2022-39952, meanwhile, resides in FortiNAC, a network access control solution that identifies and monitors every device connected to a network. Large organizations use FortiNAC to protect operational technology networks in industrial control systems, IT appliances, and Internet of Things devices. The vulnerability class, known as an external control of file name or path, allows unauthenticated attackers to write arbitrary files to a system and, from there, obtain remote code execution that runs with unfettered root privileges.

Fortinet patched the vulnerability on February 16 and within days, researchers from multiple organizations reported it was under active exploit. The warnings came from organizations or companies, including Shadowserver, Cronup, and Greynoise. Once again, Horizon3.ai provided a deep dive that analyzed the cause of the vulnerability and how it could be weaponized. Advertisement

We have started to detect the massive installation of Webshells (backdoors) for later access to compromised devices, researchers from Cronup wrote.

The vulnerability is being exploited by what appear to be multiple threat actors in attempts to install different web shells, which provide attackers with a text window through which they can remotely issue commands.

In a blog post published Thursday, Fortinet CTO Carl Windsor said the company regularly performs internal security audits to find security bugs in its products.

“Importantly, it was during one of these internal audits that the Fortinet PSIRT team itself identified this Remote Code Execution vulnerability,” Windsor wrote. “We immediately remediated and published this finding as part of our February PSIRT advisory. (If you are not subscribed to our advisories, we highly recommend registering using one of the methods described here.) Fortinet PSIRT policy balances our culture of transparency with our commitment to the security of our customers.”

Further ReadingFeds say hackers are likely exploiting critical Fortinet VPN vulnerabilitiesIn recent years, several Fortinet products have come under active exploitation. In 2021, a trio of vulnerabilities in Fortinets FortiOS VPNtwo patched in 2019 and one a year laterwere targeted by attackers attempting to access multiple government, commercial, and technology services.

Further ReadingFortinet says hackers exploited critical vulnerability to infect VPN customersLast December, an unknown threat actor exploited a different critical vulnerability in the FortiOS SSL-VPN to infect government and government-related organizations with advanced custom-made malware. Fortinet quietly fixed the vulnerability in late November but didnt disclose it until after the in-the-wild attacks began. The company has yet to explain why or say what its policy is for disclosing vulnerabilities in its products.

The attacks in recent years show that security products designed to keep attackers out of protected networks can be a double-edged sword that can be particularly dangerous when companies fail to disclose them or, more recently, customers fail to install updates. Anyone who administers or oversees networks that use either ManageEngine or FortiNAC should check immediately to see if theyre vulnerable. The above-linked research posts provide a wealth of indicators people can use to determine if theyve been targeted. reader comments 14 with Share this story Share on Facebook Share on Twitter Share on Reddit Dan Goodin Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the AssociatedPress, Bloomberg News, and other publications. Find him on Mastodon at: https://infosec.exchange/@dangoodin Email dan.goodin@arstechnica.com Advertisement Channel Ars Technica ← Previous story Next story → Related Stories Today on Ars

Articles You May Like

White House and American Airlines will release plane crash victims list
Costco teamster workers set to strike this week as company DEI controversy mounts
Elon Musk’s latest move meant to connect millions of people like never before
Google Maps announces if they will soon reflect Trump’s landmark changes
Trump Ousts National Labor Relations Board Leaders Who Support Workers Rights