Join us in-person to celebrate the launch of our first runZero Research Report! Learn more

How to find FortiOS, FortiProxy, and FortiClient devices

Rob King
Updated

Latest Fortinet vulnerabilities #

On March 12th, 2024, Fortinet disclosed several vulnerabilities in their FortiOS, FortiProxy, and FortiClient products:

  • FG-IR-23-328 – a buffer overflow vulnerability in the handling of form-based authentication in the FortiOS and FortiProxy captive portals, allowing remote, unauthenticated attackers to execute arbitrary code. This vulnerability has been assigned CVEs CVE-2023-42789 and CVE-2023-42790. These vulnerabilities have a CVSS score of 9.3, indicating that they are critical.

  • FG-IR-24-007 – a SQL injection vulnerability in the FortiClient Enterprise Management Server. This vulnerability has been designated CVE-2023-48788, and has been given a CVSS score of 9.8 (critical).

  • FG-IR-23-390 – a log injection vulnerability in the FortiClient Enterprise Management Server. This vulnerability has been assigned CVE-2023-47534 and a CVSS score of 7.7 (high).

  • FG-IR-23-103 – a remote code execution vulnerability in the FortiManager product. This vulnerability has been designated CVE-2023-36554 with a CVSS score of 7.7 (high). Note that the vulnerable subsystem is not installed by default.

  • FG-IR-23-013 – an information disclosure vulnerability in the FortiGuard SSL-VPN product. This vulnerability has been designated CVE-2024-23112 and given a CVSS score of 7.2 (high).

What is the impact? #

Upon successful exploitation of these vulnerabilities, attackers can execute arbitrary code on the vulnerable system or disclose privileged information.

Are updates or workarounds available? #

Fortinet has released updates to mitigate this issue and all users are urged to update immediately.

How to find potentially vulnerable FortiOS, FortiProxy or FortiClient operating systems with runZero #

From the Asset Inventory, use the following query to locate assets running the FortiOS or FortiProxy operating systems, which may be vulnerable:

os:"FortiOS" OR os:"FortiProxy"

Additionally, from the Services Inventory, use the following query to locate potentially vulnerable systems:

html.title:="FortiClient Endpoint Management Server"

As always, any prebuilt queries are available from our Queries Library. Check out the library for other useful inventory queries.

CVE-2024-21762 (February 2024) #

On February 8th, 2024, Fortinet disclosed a serious vulnerability in their FortiOS operating system, used by multiple Fortinet products.

The issue, CVE-2024-21762, allowed attackers to execute arbitrary code on vulnerable devices. The vendor has indicated that this is a critical vulnerability. The vendor reports that there are indications that this vulnerability may be actively exploited in the wild. Upon successful exploitation of these vulnerabilities, attackers could execute arbitrary code on the vulnerable system.

Are updates or workarounds available? #

Fortinet released an update to mitigate this issue and all users were urged to update immediately. Additionally, the vendor indicated that disabling the SSL-VPN functionality of the device would mitigate the issue.

How do I find potentially vulnerable FortiOS devices with runZero? #

From the Asset Inventory, use the following query to locate assets running the FortiOS operating system which may potentially be vulnerable:

os:"FortiOS" AND tcp:443

CVE-2022-40684 (October 2022) #

News surfaced in October 2022 of a critical authentication bypass vulnerability present in the web administration interface of some Fortinet products. Successful exploitation of this vulnerability (tracked as CVE-2022-40684) via crafted HTTP and HTTPS requests could provide remote attackers with admin-level command execution on vulnerable FortiOS devices including FortiGate firewalls, FortiProxy web proxies, and FortiSwitchManager assets.

What was the impact? #

With a CVSS critical score of 9.6, attackers running admin-level commands on compromised assets may have had the ability to persist presence, explore connected internal networks, and exfiltrate data. At the time Fortinet was aware of at least one exploit of this vulnerability in the wild, and Bleeping Computer offered a Shodan search showing more than 140k publicly accessible FortiGate devices potentially running vulnerable FortiOS. Additionally, security researchers with Horizon3.ai planned on publishing an exploit PoC. For admins wanting to check if a FortiOS/FortiProxy/FortiSwitchManager asset had been exploited, Fortinet provides an indicator of compromise (see the “Exploitation Status” section).

Fortinet called out the vulnerable FortiOS, FortiProxy, and FortiSwitchManager versions in their advisory and had made updates available for affected products. Admins were advised to ensure that affected models were updated to the latest version as soon as possible. If updates could not be completed in the near term, Fortinet provided some mitigation steps (see the “Workaround” section) that could be taken to secure vulnerable assets.

How runZero users found FortiOS, FortiProxy, and FortiSwitchManager assets #

From the Asset Inventory, runZero users entered the following pre-built query to locate FortiOS, FortiProxy, and FortiSwitchManager assets:

os:FortiOS or product:FortiProxy or product:FortiSwitchManager
The prebuilt query is available in the Queries Library

Written by Rob King

Rob King is the Director of Security Research at runZero. Over his career Rob has served as a senior researcher with KoreLogic, the architect for TippingPoint DVLabs, and helped get several startups off the ground. Rob helped design SC Magazine's Data Leakage Prevention Product of the Year for 2010, and was awarded the 3Com Innovator of the Year Award in 2009. He has been invited to speak at BlackHat, Shmoocon, SANS Network Security, and USENIX.

More about Rob King
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Related Articles

Rapid Response
How to find Palo Alto Network firewalls running PAN-OS 11.1, 11.0, and 10.2
Palo Alto Networks disclosed that versions of their PAN-OS software have a vulnerability allowing for remote command injection. Here's how to find...
Read More
Rapid Response
How to find CrushFTP services
CrushFTP disclosed that versions of their file transfer software have a vulnerability allowing unauthenticated file system access. Here's how to...
Read More
Rapid Response
How to find outdated lighttpd services
Outdated versions of the open source lighttpd web server are vulnerable to a handful of security vulnerabilities
Read More
Rapid Response
How to find D-Link NAS Storage devices
D-Link has disclosed multiple vulnerabilities in their D-Link NAS Storage products. Here's how to find potentially impacted devices.
Read More

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

Try It Free
© Copyright 2024 runZero, Inc. All Rights Reserved