FortiOS - Removal of `restore src-vis` command.
Summary
A download of code without integrity check vulnerability [CWE-494] in the "execute restore src-vis" command of FortiOS may allow a local authenticated attacker to download arbitrary files on the device via specially crafted update packages.
Exploitation Status:
Fortinet is awae of an instance where this vulnerability was abused and recommends immediately validating your systems for indicators of compromise:
-
Unexpected files on the FortiGate Device (list files with
fnsysctl ls
)/data2/virc.dat
/data2/vire
/data2/vire.tar.gz
/data2/vire.tar
/data2/vird
/data2/gettd
/data2/smartctll
/data2/ftar
/data2/reportnd
/data2/llpdtd
/data2/flcfgt
/data2/viree/vire/inject
/data2/viree/vire/insmod
/data2/viree/vire/hack.o
/data2/viree/vire/libips.so
/bin/lldptd
/data/lib/libipsx.so
/data2/viree/vire/ld.so.preload
/etc/ld.so.preload -
Unexpected processes running on the FortiGate device
The following unexpected processes were found to be running on the device when runningfnsysctl ps
:
30892 0 0 S ash -c /bin/flcfgt>/data2/44.txt 2>&1
30068 0 0:00 {smartctl} ash -c /data2/smartctl ps>/data2/17.txt 2> - Unexpected traffic sourced from the FortiGate device
Traffic has been observed to the following C&C servers on port 7443 (Plaintext HTTP):
192.46.213.244
172.105.181.67
Affected Products
FortiOS versions 6.0.13 and below,
FortiOS versions 6.2.9 and below,
FortiOS versions 6.4.7 and below,
FortiOS versions 7.0.2 and below.
Solutions
Upgrade to FortiOS 6.0.14 or above,
Upgrade to FortiOS 6.2.10 or above,
Upgrade to FortiOS 6.4.8 or above,
Upgrade to FortiOS 7.0.3 or above.