FortiOS, an operating system built by enterprise security provider Fortinet, has a number of high-severity flaws that are currently being exploited in the wild, US government agencies are saying.
The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint warning, explaining that three different vulnerabilities (CVE-2018-13379, CVE-2020-12812 and CVE-2019-5591) are being abused by hackers. FortiOS versions 5.4 through 6.4 are said to be affected by the bugs.
All three are classified as high severity and each has now been patched by the vendor. The problem is that not all IT teams have applied the necessary fixes, opening their networks up to attack.
CVE-2018-13379 allows attackers to download system files from the target machine, CVE-2020-12812 lets the attacker to log into the device without the need for authentication, while CVE-2019-5591 enables the interception of sensitive data in traffic, by impersonating an LDAP server.
The two US government agencies claim criminals are actively scanning for systems that are yet to apply the patches, and are particularly interested in government and commercial entities.
“The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks,” the advisory reads.
“APT actors may use other CVEs or common exploitation techniques – such as spear-phishing – to gain access to critical infrastructure networks to pre-position for follow-on attacks.”