CVE-2022-40684: Critical Authentication Bypass in FortiOS and FortiProxy

Read Time:2 Minute, 34 Second

Fortinet has patched a critical authentication bypass in its FortiOS and FortiProxy products that could lead to administrator access.

Background

On October 7, public reports began to circulate that Fortinet communicated directly with customers about a critical vulnerability in its FortiOS and FortiProxy products. This vulnerability, CVE-2022-40684, has been patched, but Fortinet has not released a full advisory yet via its Product Security Incident Response Team

Fortinet usually follows a monthly release schedule for security advisories on the second Tuesday of every month, the same day as Microsoft’s Patch Tuesday. It remains to be seen whether it will follow the same schedule for the CVE-2022-40684 advisory. The following tweet contains an image taken from the email communication sent to Fortinet customers.

Update: By now the full text of the e-mail and a screenshot of the internal advisory have been shared.
So here goes a screenshot of the unredacted full e-mail as shared on Facebook. Also containing possible #workarounds.#Fortinet #CVE202240684 #RCE #authbypass #advisory pic.twitter.com/ruVmYhyXA5

— Gitworm (@Gi7w0rm) October 7, 2022

Analysis

CVE-2022-40684 is a critical authentication bypass vulnerability that received a CVSSv3 score of 9.6. By sending specially crafted HTTP or HTTPS requests to a vulnerable target, a remote attacker with access to the management interface could perform administrator operations.

At this time, there is no information on whether this vulnerability has been exploited in attacks. But, given threat actors’ penchant for targeting FortiOS vulnerabilities, Fortinet’s recommendation to remediate this vulnerability “with the utmost urgency” is appropriate.

Solution

The communications Fortinet sent to customers that have now been shared publicly on Twitter, outline the following vulnerable and fixed version numbers:

Product

Vulnerable Versions

Fixed Version

FortiOS

7.0.0 to 7.0.6

7.2.0 to 7.2.1

7.0.7

7.2.2

FortiProxy

7.0.0 to 7.0.6

7.2.0

7.0.7

7.2.1

If you cannot apply patches immediately, Fortinet states that using a local-in-policy to limit access to the management interface. Fortinet also includes steps on disabling administrative access to the internet facing interface and steps on restricting access to trusted hosts in their FortiGate Hardening Guide. As the guide notes, these steps are part of their system administrator best practices.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released. Customers can also use Plugin ID 73522 to identify the version of Fortinet Devices in your network. Please note that the plugin does require providing SSH credentials for the Fortinet device.

Get more information

FortiOS release notes for 7.2.2
FortiOS release notes for 7.0.7
Fortinet PSIRT

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.

Read More

New cryptojacking campaign exploits OneDrive vulnerability

Read Time:33 Second

Cryptojacking is turning into a security nightmare for consumers and enterprises alike. Malicious actors have used a variety of techniques to install cryptojackers on victims’ computers and in a new development, cybersecurity software maker Bitdefender has detected a cryptojacking campaign that uses a Microsoft OneDrive vulnerability to gain persistence and run undetected on infected devices.

Between May 1 and July 1, Bitdefender detected about 700 users who were affected by the campaign. The campaign uses four cryptocurrency mining algorithms—Ethash, Etchash, Ton and XMR— making an average of $13 worth of cryptocurrency per infected computer, Bitdefender reported this week.

To read this article in full, please click here

Read More

What Is Smishing? Here’s How to Spot Fake Texts and Keep Your Info Safe

Read Time:4 Minute, 27 Second

Your phone buzzes. You hope it’s a reply from last night’s date, but instead you get an entirely different swooping feeling: It’s an alarming SMS text alerting you about suspicious activity on your bank account and that immediate action is necessary.  

Take a deep breath and make sure to read the message carefully. Luckily, your assets could be completely safe. It could just be a smisher. 

Smishing, or phishing over SMS, is a tactic where cybercriminals impersonate reputable organizations or people and trick people into handing over their PII or financial details. Sometimes they can seem very credible with the information they have, and you may have even been expecting a correspondence of a similar nature. 

So how can you tell when an SMS text is real and requires your attention? And how should you deal with a smisher to keep your identity safe? 

What Is Smishing? 

Like email phishing and social media phishing,

SMS text phishing often tries to use a strong emotion – like fear, anger, guilt, or excitement – to get you to respond immediately and without thinking through the request completely.  

In the case of one coordinated smishing attack, cybercriminals not only impersonated financial institutions but collected PII on their targets ahead of time. The criminals then used these personal details – like old addresses and Social Security Numbers – to convince people that they were legitimate bank employees.1 But since when does a bank try to prove itself to the customer? Usually, it’s the other way around, where they’ll ask you to confirm your identity. Be wary of anyone who texts or calls you and has your PII. If you’re ever suspicious of a caller or texter claiming they’re a financial official, contact your bank through verified channels (chat, email, or phone) you find on the bank’s website to make sure. 

Smishers often keep up with current events and attempt to impersonate well-known companies that have a reason to reach out to their customers. This adds false legitimacy to their message. For example, in the summer of 2022, Rogers Communications, a Canadian telecommunications provider, experienced an extended loss of service and told customers they could expect a reimbursement. Smishers jumped on the opportunity and sent a barrage of fake texts requesting banking details in order to carry out the reimbursement.2 However, Rogers credited customers directly to their Rogers accounts.  

3 Tips to Identify a Smisher 

If you receive a suspicious text, go through these three steps to determine if you should follow up with the organization in question or simply delete and report the text. 

1. Know your notification preferences.

Do you have text alerts enabled for your bank and utility accounts? If not, disregard any text claiming to be from those organizations. Companies will only contact you through the channels you have approved. Also, in the case of the Rogers smishing scheme, be aware of how a company plans to follow up with customers regarding reimbursements. You can find information like this on their official website and verified social channels. 

2. Check the tone.

If the tone of the text urges you to act quickly or proposes a dire consequence of ignoring the message, be on alert. While suspicious activity on your credit card is serious, your bank will likely reimburse you for charges you didn’t make, so you have time to check your bank account and see recent activities. Official correspondence from financial institutions will always be professional, typo-free, and will try to put you at ease, not make you panic.

3. Verify the phone number.

Whenever you get a text from someone you don’t know, it’s a good practice to do an internet search for the number to see with whom it’s associated. If it’s a legitimate number, it should appear on the first page of the search results and direct to an official bank webpage. 

What to Do When You Receive a Fake SMS Alert 

Once you’ve identified a fake SMS alert, do not engage with it. Never click on any links in the message, as they can redirect you to risky sites or download malware to your device. If you have McAfee Safe Browsing on your mobile, it can be your backup if you accidentally open a malicious link. 

Also, don’t reply to the text. A reply lets the criminal on the other end know that they reached a valid phone number, which may cause them to redouble their efforts. Finally, block the number and report it as spam. 

A great absolute rule to always follow is to never give out your Social Security Number, banking information, usernames, or passwords over text. 

How to Keep Your PII Safe from Smishers 

To give you peace of mind in cases where you think a malicious actor has access to your PII, you can count on McAfee+. McAfee+ offers a comprehensive suite of identity and privacy protection services to help you feel more confident in your digital life. 

1PC Mag, “Scammers Are Using Fake SMS Bank Fraud Alerts to Phish Victims, FBI Says 

2Daily Hive, “Rogers scam alert: Texts offering credit after outage are fake 

The post What Is Smishing? Here’s How to Spot Fake Texts and Keep Your Info Safe appeared first on McAfee Blog.

Read More

USN-5371-3: nginx vulnerability

Read Time:44 Second

USN-5371-1 and USN-5371-2 fixed several vulnerabilities in nginx.
This update provides the corresponding update for CVE-2020-11724
for Ubuntu 16.04 ESM.

Original advisory details:

It was discovered that nginx Lua module mishandled certain inputs.
An attacker could possibly use this issue to perform an HTTP Request
Smuggling attack. This issue was fixed for Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2020-11724)

It was discovered that nginx Lua module mishandled certain inputs.
An attacker could possibly use this issue to disclose sensitive
information. This issue only affects Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2020-36309)

It was discovered that nginx mishandled the use of
compatible certificates among multiple encryption protocols.
If a remote attacker were able to intercept the communication,
this issue could be used to redirect traffic between subdomains.
(CVE-2021-3618)

Read More