Fortinet FortiVoice O-Day Vulnerability Actively Exploited in The Wild
A critical stack-based buffer overflow vulnerability (CWE-121) has been discovered in multiple Fortinet products, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera.
A critical zero-day vulnerability in FortiVoice systems is being actively exploited in the wild. It allows unauthenticated attackers to execute arbitrary code or commands remotely through specially crafted HTTP requests, which poses a significant threat to affected organizations.
“Fortinet has observed this to be exploited in the wild on FortiVoice,” Fortinet stated.
Vulnerability Details and Exploitation
Fortinet’s Product Security Team identified the vulnerability after observing real-world exploitation targeting FortiVoice systems. Threat actors have leveraged the flaw to conduct malicious activities, including:
- Network Scanning: Probing the device network for additional vulnerabilities.
- Log Manipulation: Erasing system crash logs to cover tracks.
- Credential Harvesting: Enabling FastCGI (fcgi) debugging to capture credentials from system or SSH login attempts.
Exploitation has been linked to specific Indicators of Compromise (IoCs), including malicious IP addresses (e.g., 198.105.127.124, 43.228.217.173), modified system files, and added cron jobs designed to extract sensitive data.
Affected Products and Mitigation
The vulnerability affects various versions of Fortinet’s product portfolio. The table below lists affected systems and their respective fixes:
| Product | Affected Versions | Solution |
|---|---|---|
| FortiCamera | 2.1.0–2.1.3 | Upgrade to 2.1.4 or above |
| 2.0, 1.1 (all versions) | Migrate to a fixed release | |
| FortiMail | 7.6.0–7.6.2 | Upgrade to 7.6.3 or above |
| 7.4.0–7.4.4 | Upgrade to 7.4.5 or above | |
| 7.2.0–7.2.7 | Upgrade to 7.2.8 or above | |
| 7.0.0–7.0.8 | Upgrade to 7.0.9 or above | |
| FortiNDR | 7.6.0 | Upgrade to 7.6.1 or above |
| 7.4.0–7.4.7 | Upgrade to 7.4.8 or above | |
| 7.2.0–7.2.4 | Upgrade to 7.2.5 or above | |
| 7.0.0–7.0.6 | Upgrade to 7.0.7 or above | |
| 7.1, 1.5, 1.4, 1.3, 1.2, 1.1 (all versions) | Migrate to a fixed release | |
| FortiRecorder | 7.2.0–7.2.3 | Upgrade to 7.2.4 or above |
| 7.0.0–7.0.5 | Upgrade to 7.0.6 or above | |
| 6.4.0–6.4.5 | Upgrade to 6.4.6 or above | |
| FortiVoice | 7.2.0 | Upgrade to 7.2.1 or above |
| 7.0.0–7.0.6 | Upgrade to 7.0.7 or above | |
| 6.4.0–6.4.10 | Upgrade to 6.4.11 or above |
As a temporary workaround, Fortinet recommends disabling the HTTP/HTTPS administrative interface to prevent exploitation until patches are applied.
Indicators of Compromise (IoCs)
The following table details the IoCs provided by Fortinet to detect potential compromise:
| Category | Details |
|---|---|
| Log Entries | Errors in CLI command diagnose debug application httpd display trace-log: |
| – [fcgid:warn] mod_fcgid: error reading data, FastCGI server closed connection | |
| – [fcgid:error] mod_fcgid: process /migadmin/www/fcgi/admin.fe exit(communication error), get unexpected signal 11 | |
| Malicious IP Addresses | 198.105.127.124, 43.228.217.173, 43.228.217.82, 156.236.76.90, 218.187.69.244, 218.187.69.59 |
| Modified Settings | Enabled fcgi debugging: CLI command diag debug application fcgi shows “general to-file ENABLED” |
| Malicious Files | – /bin/wpad_ac_helper (MD5: 4410352e110f82eabc0bf160bec41d21): Main malware file |
| – /bin/busybox (MD5: ebce43017d2cb316ea45e08374de7315, 489821c38f429a21e1ea821f8460e590) | |
| – /lib/libfmlogin.so (MD5: 364929c45703a84347064e2d5de45bcd): Logs SSH credentials | |
| – /tmp/.sshdpm: Stores stolen credentials | |
| – /bin/fmtest (MD5: 2c8834a52faee8d87cff7cd09c4fb946): Network scanning script | |
| Cron Jobs | Modified /data/etc/crontab and /var/spool/cron/crontabs/root: |
| – 0 */12 * * * root busybox grep -rn passw /var/spool/crashlog/fcgi.debug > /var/spool/.sync; cat /dev/null >/var/spool/crashlog/fcgi.debug | |
| – 0 */12 * * * root cat /var/spool/crashlog/fcgi.debug > /var/spool/.sync; cat /dev/null >/var/spool/crashlog/fcgi.debug | |
| Modified Files | – /var/spool/.sync: Stores credentials gathered by cron jobs |
| – /etc/pam.d/sshd: Lines added to include malicious libfmlogin.so | |
| – /etc/httpd.conf: Line added to include socks.so: LoadModule socks5_module modules/mod_socks5.so |
Fortinet’s Product Security Team discovered the vulnerability through active threat monitoring.
The company issued an advisory today, urging immediate action. Organizations should prioritize upgrading to the recommended versions, monitoring for IoCs, and applying the workaround if patching is delayed.
This zero-day vulnerability highlights the critical need for timely patching and vigilant monitoring of network security appliances.
With confirmed active exploitation, Fortinet customers must act swiftly to apply the recommended fixes and check for signs of compromise.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
