Alert essentials:
FortiSwitches allow unauthenticated code execution on vulnerable devices when bad actors capture a hardcoded cryptographic key.
To avoid system compromise, deploy version updates immediately.
Detailed threat description:
Due to their widespread use in critical infrastructure and enterprise environments, Fortinet products are frequently targeted by hackers.
Exploiting zero-day vulnerabilities and large-scale compromises indicates that attackers find Fortinet products highly valuable targets for breaching networks and accessing sensitive data.
This week, Fortinet released a Product Security Incident Response Team (PSIRT) advisory to inform users of access to a cryptographic key in vulnerable versions of the FortiSwitch. This is Fortinet’s scalable network switch solution that integrates with existing Fortinet infrastructures.
Yet, a recent discovery revealed that device versions with a hard-coded cryptographic key enable unauthenticated remote code execution. Hackers use a specially crafted malicious request to gain access and possibly establish persistence on vulnerable switches.
This weakness is not known to be exploited, and no exploit code exists. However, threat actors actively search for and exploit vulnerabilities in Fortinet software.
Deploy version updates as soon as possible to avoid potential compromise. FortiSwitch 6.0 has reached its end-of-life, and users are advised to migrate to a fixed release.
Impacts on healthcare organizations:
Exploitation of this flaw could allow attackers to execute arbitrary code that compromises FortiSwitch devices and disrupts critical services. Once a FortiSwitch device is compromised, attackers may use it as a gateway to move laterally within the network and damage or destroy other systems.
To mitigate risks, it is crucial to update FortiSwitch devices to the latest patched versions immediately, implement network segmentation, and monitor suspicious activity regularly.
Affected Products / Versions:
| Version | Affected | Solution |
|---|---|---|
| FortiSwitch 7.4 | 7.4.0 | Upgrade to 7.4.1 or above |
| FortiSwitch 7.2 | 7.2.0 through 7.2.5 | Upgrade to 7.2.6 or above |
| FortiSwitch 7.0 | 7.0.0 through 7.0.7 | Upgrade to 7.0.8 or above |
| FortiSwitch 6.4 | 6.4.0 through 6.4.13 | Upgrade to 6.4.14 or above |
| FortiSwitch 6.2 | 6.2.0 through 6.2.7 | Upgrade to 6.2.8 or above |
| FortiSwitch 6.0 | 6.0.0 through 6.0.7 | Migrate to a fixed release |
CVEs
CVE-2023-37936 – CWE-321 – CVSS 9.8
Recommendations
Engineering recommendations:
- Update FortiSwitch devices immediately to the latest patched versions
- Implement network segmentation to isolate FortiSwitch devices from untrusted networks
- Monitor network traffic for suspicious activities or unauthorized access attempts targeting FortiSwitch devices.
- Implement strong access controls and authentication mechanisms for all network devices
Leadership/ Program recommendations:
- If your organization uses FortiSwitch 6.0 devices, which have reached end-of-life, allocate resources to migrate to supported and patched versions immediately
- Enforce strong access controls
- Implement a documented process for identifying, assessing, and addressing vulnerabilities across your enterprise assets
- Educate your staff about the importance of cybersecurity and their role in maintaining a secure network environment
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- CVE.org: https://www.cve.org/CVERecord?id=CVE-2023-37936
- Fortinet Product Security Incident Response Team (psirt) advisory: https://www.fortiguard.com/psirt/FG-IR-23-260
- NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-37936
