Fortinet has issued a security advisory warning about a vulnerability in its FortiOS operating system, classified as 'Incorrect Provision of Specified Functionality' (CWE-684). This vulnerability allows a locally authenticated attacker to execute system commands through specially crafted CLI commands. Although the company has released corrected versions, it is crucial that users take immediate steps to secure their devices.
The vulnerability is not a remote zero-day that can be exploited without credentials, but it still represents a considerable risk. In many environments, the CLI console (SSH/console) is accessible to multiple operators, which could facilitate an attack if any of these accounts is compromised or if there is poor segregation of privileges. Fortinet emphasizes the importance of applying patches quickly and strengthening administrative access controls.
The affected FortiOS versions range from 7.6.0 up to several releases of 7.4, 7.2, and 7.0; all 6.4 versions are affected without a direct solution, which requires migrating to a supported branch. The corrected versions start from 7.6.1 and higher.
The advisory also details the FortiGate models affected, including those from the 100E/F, 1100E/F, 1800F series, and several more, up to the 7000E and 7000F models. The company warns that even if a model is not on the list, the versions must be checked and updates planned if necessary.
Although the vulnerability requires authentication, many organizations face risks by having multiple administrators or integrations with LDAP/AD/RADIUS. A poorly segmented access, without the protection of multifactor authentication (MFA), could allow unauthorized actions.
To mitigate the risk while an update is being carried out, it is recommended to restrict administrative access to trusted IPs, enable MFA, disable unnecessary CLI/SSH access, review administrator profiles to apply the principle of least privilege, and monitor the admin logs to detect anomalous commands.
As part of the action plan, it is suggested to take an inventory of all devices, verify the FortiOS version, follow security hardening measures, and implement a controlled update strategy, especially in high-availability (HA) configurations or with multiple virtual domains (VDOMs).
It is crucial that organizations maintain ongoing security practices, such as having separate management networks, implementing named accounts without sharing credentials, and performing regular backups. Additionally, a patch schedule and a service level agreement (SLA) must be maintained to address critical vulnerabilities without delay.
Finally, it is essential that security and management teams continue monitoring and implementing appropriate measures to mitigate potential risks, always bearing in mind that a vulnerability that requires authentication can still have a severe impact if security measures are not adequately reinforced.
More information and references in Cloud News.
