Fortinet’s patch for FortiJump, a critical missing authentication RCE flaw in FortiManager, left new vulnerabilities on the table for threat actors to exploit, according to new research.
A new report from watchTowr Labs described how when trying to recreate the initial FortiJump vulnerability, researchers discovered a series of additional flaws, and one they considered particularly worrying.
“[We] stumbled upon a couple of DoS vulnerabilities and what we suspect is a new vulnerability that allows an authenticated managed FortiGate device to take control of the FortiManager instance.”
The report has dubbed this new vulnerability ‘FortiJump Higher', and like its namesake affects FortiManager, the company’s tool for the centralized administration of FortiGate devices.
As such, the report warns FortiManager has a critical function in many organizations, and “you’d assume that it was built to at least the same standard as Fortinet’s other secure appliances.”
They added that due to the gravity of the original FortiJump flaw, and the similarity of FortJump Higher, they felt tech-savvy adversaries will likely already be aware of the weakness.
As such watchTowr said it decided to publish details of the issue before a patch or official remediation information could be released.
“Of course, we informed Fortinet of all the issues we found. However, we made the somewhat unusual decision to disclose the details of the main issue, the privilege escalation vulnerability, in full detail ahead of remediation advice or patches being issued.”
Original FortiJump patch labeled ‘incomplete’
The original FortiJump RCE vulnerability, assigned a critical 9.8 score on the CVSS, was publicly disclosed on 23 October.
At the time, a report from Google’s threat intelligence arm Mandiant indicated the flaw had been under mass exploitation for over three months, affecting over 50 FortiManager devices implemented in a number of industries.
Mandiant said it observed a new threat cluster, tracked as UNC5820 exploiting the vulnerability in June, exfiltrating configuration data of FortiGate devices managed by the compromised FortiManager instance.
The watchTowr researchers said their analysis of Fortinet's patch for the original FortiJump vulnerability indicates it is “incomplete”, warning organizations with FortiManager appliances affected by the issue need to keep their guard up.
Pick the right software provider to support your GenAI needs
“As far as we can make out, Fortinet just patched a chunk of irrelevant (dead?) code and left the actual vulnerability alone, wide open for attackers. This opens up a load of interesting questions - did Fortinet actually repro[duce] the issue before ‘fixing’ it?”
WatchTowr labs noted that it also found that the IoCs published by Mandiant, while helpful, may not cover all of the attacks made possible by the issue.
The fact that researchers also found two additional DoS flaws when investigating the issue led them to raise questions around the overall integrity of the FortiManager codebase.
“We also found two file overwrite vulnerabilities which could be leveraged to crash the system. The low complexity of these vulnerabilities brings into question the overall quality of the FortiManager codebase.”
ITPro has approached Fortinet for clarification on the issue but has not received a response.
