A world of hurt for Fortinet and Zoho after users fail to install patches
Organizations around the world are once again learning the risks of not installing security updates as multiple threat actors race to exploit two recently patched vulnerabilities that allow them to infect some of the most critical parts of a protected network.
The vulnerabilities both carry severity ratings of 9.8 out of a possible 10 and reside in two unrelated products crucial in securing large networks. The first, tracked as CVE-2022-47966, is a pre-authentication remote code execution vulnerability in 24 separate products from software maker Zoho that use the company’s ManageEngine. It was patched in waves from last October through November. The second vulnerability, CVE-2022-39952, affects a product called FortiNAC, made by cybersecurity company Fortinet and was patched last week.
Both ManageEngine and FortiNAC are billed as zero-trust products, meaning they operate under the assumption a network has been breached and constantly monitor devices to ensure they’re not infected or acting maliciously. Zero-trust products don’t trust any network devices or nodes on a network and instead actively work to verify they’re safe.
24 Zoho products affected
ManageEngine is the motor that powers a wide range of network management software and appliances from Zoho that perform core functions. AD Manager Plus, for instance, helps admins set up and maintain the Active Directory, the Windows service for creating and deleting all user accounts on a network and delegating system privileges to each one. Password Manager Pro provides a centralized digital vault for storing all of a network’s password data. Other products enabled by ManageEngine manage desktops, mobile devices, servers, applications, and service desks.
CVE-2022-47966 allows attackers to remotely execute malicious code by issuing a standard HTTP POST request that contains a specially crafted response using the Security Assertion Markup Language. (SAML, as it’s abbreviated, is an open-standard language identity providers and service providers use to exchange authentication and authorization data.) The vulnerability stems from Zoho’s use of an outdated version of Apache Santuario for XML signature validation.
In January, roughly two months after Zoho patched the ManageEngine vulnerability, security firm Horizon3.ai published a deep dive analysis that included proof-of-concept exploit code. Within a day, security firms such as Bitdefender began seeing a cluster of active attacks from multiple threat actors targeting organizations worldwide that still hadn’t installed the security update.
Some attacks exploited the vulnerability to install tools such as the command line Netcat and, from there, the Anydesk remote login software. When successful, the threat actors sell the initial access to other threat groups. Other attack groups exploited the vulnerability to install ransomware known as Buhti, post-exploitation tools such as Cobalt Strike and RAT-el, and malware used for espionage.
“This vulnerability is another clear reminder of the importance of keeping systems up to date with the latest security patches while also employing strong perimeter defense,” Bitdefender researchers wrote. “Attackers don’t need to scour for new exploits or novel techniques when they know that many organizations are vulnerable to older exploits due, in part, to the lack of proper patch management and risk management.”
Zoho representatives didn’t respond to an email seeking comment for this post.
FortiNAC under “massive” attack
CVE-2022-39952, meanwhile, resides in FortiNAC, a network access control solution that identifies and monitors every device connected to a network. Large organizations use FortiNAC to protect operational technology networks in industrial control systems, IT appliances, and Internet of Things devices. The vulnerability class, known as an external control of file name or path, allows unauthenticated attackers to write arbitrary files to a system and, from there, obtain remote code execution that runs with unfettered root privileges.
Fortinet patched the vulnerability on February 16 and within days, researchers from multiple organizations reported it was under active exploit. The warnings came from organizations or companies, including Shadowserver, Cronup, and Greynoise. Once again, Horizon3.ai provided a deep dive that analyzed the cause of the vulnerability and how it could be weaponized.
“We have started to detect the massive installation of Webshells (backdoors) for later access to compromised devices,” researchers from Cronup wrote.
The vulnerability is being exploited by what appear to be multiple threat actors in attempts to install different web shells, which provide attackers with a text window through which they can remotely issue commands.
In a blog post published Thursday, Fortinet CTO Carl Windsor said the company regularly performs internal security audits to find security bugs in its products.
“Importantly, it was during one of these internal audits that the Fortinet PSIRT team itself identified this Remote Code Execution vulnerability,” Windsor wrote. “We immediately remediated and published this finding as part of our February PSIRT advisory. (If you are not subscribed to our advisories, we highly recommend registering using one of the methods described here.) Fortinet PSIRT policy balances our culture of transparency with our commitment to the security of our customers.”
In recent years, several Fortinet products have come under active exploitation. In 2021, a trio of vulnerabilities in Fortinet’s FortiOS VPN—two patched in 2019 and one a year later—were targeted by attackers attempting to access multiple government, commercial, and technology services.
Last December, an unknown threat actor exploited a different critical vulnerability in the FortiOS SSL-VPN to infect government and government-related organizations with advanced custom-made malware. Fortinet quietly fixed the vulnerability in late November but didn’t disclose it until after the in-the-wild attacks began. The company has yet to explain why or say what its policy is for disclosing vulnerabilities in its products.
The attacks in recent years show that security products designed to keep attackers out of protected networks can be a double-edged sword that can be particularly dangerous when companies fail to disclose them or, more recently, customers fail to install updates. Anyone who administers or oversees networks that use either ManageEngine or FortiNAC should check immediately to see if they’re vulnerable. The above-linked research posts provide a wealth of indicators people can use to determine if they’ve been targeted.