3 critical flaws in Fortinet allow network wide ransomware infection

Computer forensics specialists report the finding of three vulnerabilities in some Fortinet products (FortiSIEM, FortiDeceptor and FortiWLC). Successfully exploiting these security flaws would allow threat actors to launch ransomware infections, extract sensitive information, or execute arbitrary code on the target system.

Below is a brief description of the reported flaws, in addition to their respective identification keys and scores according to the Common Vulnerability Scoring System (CVSS).

CVE-2015-0279: An incorrect input validation in the JBoss RichFaces library’s “do” parameter would allow remote hackers to execute arbitrary code on the target FortiSIEM system. A threat actor can inject Expression Language expressions and execute arbitrary JavaScript on the vulnerable system. This flaw received a score of 8.5/10, so it is considered a severe error, the experts in computer forensics mentioned.

The flaw resides in the following versions of FortiSIEM: 4.7.0, 4.7.1, 4.7.2, 4.8.0, 4.8.1, 4.9.0, 4.10.0, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7 and 5.2.8.  

CVE-2020-6644: An insufficient session expiration error would allow threat actors to gain access to sensitive information to the fortiDeceptor implementation victims. Unauthenticated remote attackers can obtain or guess users’ login token, exposing their accounts and stored information. This medium severity flaw received a CVSS score of 6.5/10.

According to computer forensics specialists, the fault is only found in FortiDeceptor version 3.0.0.

CVE-2020-9288: Insufficient disinfection of user-provided data in the ESS profile and Radius profile would allow the deployment of cross-site scripting (XSS) attacks on FortiWLC. A remote authenticated attacker can inject and write code into the user’s browser in the context of a vulnerable website.

The vulnerability received a score of 5.6/10, so it is considered an average severity error. According to the report, its exploitation would allow a remote attacker to steal potentially sensitive information, change the appearance of the website and perform phishing attacks, among other attacks.

Fortinet acknowledged the reports and began working on the necessary corrections after receiving the report. Updates have already been released, so affected deployment administrators should only verify their installation. So far no attempts at active exploitation or the existence of malware associated with the attack have been detected.

For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.