Businesses around the world are re-learning the risks associated with installing security updates as multiple threat actors attempt to exploit two recently patched vulnerabilities that allow them to infect some of the most critical parts of a protected network.
The vulnerabilities both have a severity of 9.8 out of 10 and reside in two independent products that are critical to securing large networks. The first, tracked as CVE-2022-47966, is a remote code execution vulnerability before authentication in 24 separate products from software maker Zoho that use the company’s ManageEngine. It was patched in waves from last October through November. The second vulnerability, CVE-2022-39952, affects a product called FortiNAC, manufactured by cybersecurity company Fortinet and patched last week.
Both ManageEngine and FortiNAC are billed as zero-trust products, meaning they operate on the assumption that a network has been breached and constantly monitor devices to ensure they are not infected or behaving maliciously. Zero Trust products do not trust any network devices or nodes on a network and instead actively work to verify their security.
24 Zoho products affected
ManageEngine is the engine that powers a wide range of Zoho’s network management software and appliances that perform core functions. For example, AD Manager Plus helps administrators set up and manage Active Directory, the Windows service for creating and deleting all user accounts on a network and delegating system privileges to each one. Password Manager Pro provides a centralized digital vault for storing all of a network’s password data. Other ManageEngine enabled products manage desktops, mobile devices, servers, applications and service desks.
CVE-2022-47966 allows attackers to remotely execute malicious code by issuing a standard HTTP POST request that includes a specially crafted response using the Security Assertion Markup Language. (SAML, as it is abbreviated, is an open standard language used by identity providers and service providers to exchange authentication and authorization data.) The vulnerability stems from Zoho’s use of an outdated version of Apache Santuario to validate XML signatures.
In January, about two months after Zoho patched the ManageEngine vulnerability, security firm Horizon3.ai released an in-depth analysis that included proof-of-concept exploit code. Within a day, security firms like Bitdefender saw a series of active attacks from multiple threat actors targeting organizations worldwide that had not yet installed the security update.
Some attacks exploited the vulnerability to install tools such as the Netcat command line and from there the remote login software Anydesk. If successful, threat actors will sell initial access to other threat groups. Other attack groups exploited the vulnerability to install ransomware called Buhti, post-exploitation tools such as Cobalt Strike and RAT-el, and espionage malware.
“This vulnerability is another stark reminder of the importance of keeping systems up to date with the latest security patches while deploying strong perimeter protection,” the Bitdefender researchers wrote. “Attackers don’t need to look for new exploits or novel techniques knowing that many organizations are vulnerable to legacy exploits, due in part to a lack of proper patch management and risk management.”
Zoho representatives did not respond to an email requesting comment on this post.
FortiNAC under “massive” attack
CVE-2022-39952, on the other hand, resides in FortiNAC, a network access control solution that identifies and monitors every device connected to a network. Large enterprises use FortiNAC to protect operational technology networks in industrial control systems, IT equipment, and Internet of Things devices. Known as external control of file name or path, the vulnerability class allows unauthenticated attackers to write arbitrary files to a system and obtain remote code execution from there, running with full root privileges.
Fortinet patched the vulnerability on February 16, and within days, researchers from multiple organizations were reporting that it was being actively exploited. The warnings came from organizations or companies including shadow server, Cronup and Greynoise. Once again, Horizon3.ai provided a deep dive that analyzed the root cause of the vulnerability and how it could be weaponized.
“We have begun to detect the massive installation of webshells (backdoors) for later access to compromised devices,” Cronup researchers write.
The vulnerability is apparently exploited by several attackers to install various web shells that present attackers with a text window that they can use to issue commands remotely.
In a blog post published Thursday, Fortinet’s CTO, Carl Windsor, said the company regularly conducts internal security audits to find vulnerabilities in its products.
“Importantly, during one of these internal audits, Fortinet’s PSIRT team itself identified this remote code execution vulnerability,” Windsor wrote. “We immediately corrected this finding and published it as part of our February PSIRT advisory. (If you haven’t subscribed to our advice, we strongly encourage you to sign up using one of the methods outlined here.) Fortinet’s PSIRT policy balances our culture of transparency with our commitment to keeping our customers safe.”
Several Fortinet products have been actively used in recent years. In 2021, a trio of vulnerabilities in Fortinet’s FortiOS VPN – two patched in 2019 and one a year later – were targeted by attackers attempting to access multiple government, commercial, and technology services. Last December, an unknown attacker exploited another critical vulnerability in FortiOS’ SSL VPN to infect government and government-related organizations with advanced, custom malware. Fortinet quietly patched the vulnerability in late November, but only disclosed it after the in-the-wild attacks began. The company has yet to explain why or what its policy is for disclosing vulnerabilities in its products.
The attacks of the last few years show that security products designed to keep attackers off protected networks can be a double-edged sword that can become particularly dangerous if companies do not disclose them or if recent customers do not install updates. Anyone managing or monitoring networks using either ManageEngine or FortiNAC should immediately assess whether they are vulnerable. The research articles linked above provide a wealth of indicators that people can use to determine if they have been attacked.