Fortinet, a leading cybersecurity company, recently released a security advisory warning that a zero-day vulnerability in their FortiOS operating system has been actively exploited in attacks. The vulnerability, which was quietly fixed on November 28th, has the potential to seriously compromise the security of affected systems. Enterprotect advises all Fortinet users to update to the latest version of FortiOS as soon as possible to protect against this threat.

What is the Threat?

The Fortinet zero-day vulnerability is a critical security flaw in the FortiOS operating system that allows attackers to remotely execute arbitrary code on affected systems. This vulnerability can be exploited to gain unauthorized access to sensitive data, disrupt operations, or even take complete control of the affected system.

Why is it Noteworthy?

The Fortinet zero-day vulnerability is noteworthy because it has been actively exploited in attacks. This means that attackers are actively using this vulnerability to compromise the security of affected systems. Additionally, Fortinet is a widely used cybersecurity solution, so the potential number of systems that could be affected by this vulnerability is significant.

What is the Exposure or Risk?

The exposure or risk associated with the Fortinet zero-day vulnerability is high. If a system is running an affected version of FortiOS, it is vulnerable to attack. Attackers can use this vulnerability to gain unauthorized access to sensitive data, disrupt operations, or take complete control of the affected system.

What are the Recommendations?

Enterprotect recommends that all Fortinet users update to the latest version of FortiOS as soon as possible. Fortinet has released several versions of FortiOS that include a fix for this vulnerability, including version 7.2.3, version 7.0.9, version 6.4.11, and version 6.2.12. Additionally, FortiOS-6K7K versions 7.0.8, 6.4.10, 6.2.12, and 6.0.15 also include the fix.

If it is not possible to update to the latest version of FortiOS, Enterprotect suggests customers monitor logs, disable the VPN-SSL functionality, and create access rules to limit connections from specific IP addresses.

In addition to updating to the latest version of FortiOS, Enterprotect advises all Fortinet users to take the following steps to protect against this threat:

• Monitor logs for suspicious activity, specifically entries that include "Application crashed" and "Signal 11 received"

• Look for the following file system artifacts on your device: /data/lib/libips.bak, /data/lib/libgif.so, /data/lib/libiptcp.so, /data/lib/libipudp.so, /data/lib/libjepg.so, /var/.sslvpnconfigbk, /data/etc/wxd.conf, and /flash

• Identify any connections from the IP addresses seen exploiting the vulnerability (188.34.130.40:444, 103.131.189.143:30080,30081,30443,20443, 192.36.119.61:8443,444, 172.247.168.153:8033) and block them if necessary.

It is also important to note that while Fortinet has released a patch for this vulnerability, it is possible that attackers may have already exploited it before the patch was released. Therefore, it is essential to take additional steps to protect your organization's systems even if they have been updated.