Logo na Zephyrnet

Generative Data Intelligence

cyber Tsaro

Patch Yanzu: Mahimmancin Fortinet RCE Bug Karkashin Hari Mai Aiki

Plato ne ya sake bugawa
Plato ne ya sake bugawa

kwanan wata:

views: 98

Kamar yadda aka sa ran, cyberattackers sun mamaye A kan aiwatar da babban code mai nisa (RCE) rauni a cikin Fortinet Enterprise Management Server (EMS) wanda aka faci a makon da ya gabata, yana ba su damar aiwatar da lambobi na sabani da umarni tare da gata mai sarrafa tsarin akan tsarin da abin ya shafa.

The aibi, sa ido kamar yadda CVE-2024-48788 tare da maki 9.3 cikin 10 na CVSS mai rauni-nauyin rauni, yana ɗaya daga cikin ukun da Hukumar Tsaro ta Intanet da Tsaro (CISA) ta ƙara a ranar 25 ga Maris. Sanann Kundin Katalojin Abubuwan Rashin Lafiya, wanda ke lura da raunin tsaro a ƙarƙashin amfani mai aiki. Fortine, wanda gargadi masu amfani da aibi kamar yadda kuma patched shi a farkon wannan watan, kuma a hankali sabunta ta shawarwari na tsaro don lura da amfaninsa.

Musamman, ana samun aibi a cikin FortiClient EMS, sigar VM na babban na'urar gudanarwa ta FortiClient. Ya fito daga wani Kuskuren allurar SQL a cikin wani ɓangaren ajiya mai haɗa kai tsaye na uwar garken kuma ana motsa shi ta hanyar sadarwa tsakanin uwar garken da wuraren da aka haɗe zuwa gare ta.

"Wani rashin daidaituwa na abubuwa na musamman da aka yi amfani da su a cikin Dokar SQL… rashin lahani [CWE-89] a cikin FortiClientEMS na iya ƙyale maharin da ba shi da izini don aiwatar da lambar da ba ta da izini ko umarni ta takamaiman buƙatun ƙira," bisa ga shawarar Fortinet.

Tabbacin-Ra'ayi Exploit don CVE-2024-48788

Amfani da aibi na yanzu ya biyo bayan sakin makon da ya gabata na a Tabbatar da ra'ayi (PoC) amfani code kazalika da bincike ta masu bincike a Horizon.ai dalla-dalla yadda za a iya amfani da aibi.

Masu binciken Horizon.ai sun gano cewa aibi ya ta'allaka ne kan yadda babban sabis na uwar garken da ke da alhakin sadarwa tare da abokan ciniki na ƙarshen rajista - FcmDaemon.exe - yana hulɗa tare da waɗannan abokan ciniki. Ta hanyar tsoho, sabis ɗin yana sauraron tashar jiragen ruwa 8013 don haɗin haɗin abokin ciniki mai shigowa, wanda masu binciken suka yi amfani da su don haɓaka PoC.

Sauran abubuwan da ke cikin uwar garken da ke mu’amala da wannan sabis ɗin sune uwar garken samun bayanai, FCTDas.exe, wanda ke da alhakin fassara buƙatun daga sauran sassan uwar garken zuwa buƙatun SQL don yin hulɗa tare da bayanan Microsoft SQL Server.

Yin Amfani da Aibi na Fortinet

Don ci gaba da yin amfani da aibi, masu binciken Horizon.ai sun fara kafa irin hanyoyin sadarwa na yau da kullun tsakanin abokin ciniki da sabis na FcmDaemon ta hanyar daidaita mai sakawa da tura abokin ciniki na ƙarshe.

"Mun gano cewa hanyoyin sadarwa na yau da kullun tsakanin abokin ciniki na ƙarshe da FcmDaemon.exe an rufaffen su tare da TLS, kuma da alama ba a sami wata hanya mai sauƙi don zubar da maɓallan zaman TLS don warware halalcin zirga-zirgar ababen hawa," in ji Horizon.ai mai haɓakawa James Horseman. a cikin post.

Daga nan sai tawagar ta tattara cikakkun bayanai daga log ɗin sabis game da sadarwa, wanda ya ba masu binciken isassun bayanai don rubuta rubutun Python don sadarwa tare da FcmDaemon. Bayan wasu gwaji da kuskure, ƙungiyar ta sami damar bincika tsarin saƙon kuma ta ba da damar "sadar da ma'ana" tare da sabis na FcmDaemon don haifar da allurar SQL, Horseman ya rubuta.

“Mun gina fom ɗin barci mai sauƙi 'DA 1=0; JIRA JIRA '00:00:10' - '," in ji shi a cikin sakon. "Mun lura da jinkiri na daƙiƙa 10 don amsawa kuma mun san cewa mun haifar da cin gajiyar."

Don juya wannan raunin allurar SQL zuwa harin RCE, masu binciken sun yi amfani da ginanniyar aikin xp_cmdshell na Microsoft SQL Server don ƙirƙirar PoC, a cewar Doki. “Da farko, ba a saita bayanan don gudanar da umarnin xp_cmdshell; duk da haka, an ba shi damar da sauƙi tare da wasu ƴan maganganun SQL, ”ya rubuta.

Yana da mahimmanci a lura cewa PoC kawai yana tabbatar da rauni ta amfani da allurar SQL mai sauƙi ba tare da xp_cmdshell ba; don maharin don kunna RCE, dole ne a canza PoC, in ji Doki.

Cyberattacks Ramp Up a kan Fortinet; Patch Yanzu

Bugs fortinet sanannen manufa ne ga maharan, kamar yadda Chris Boyd, injiniyan bincike na ma'aikata a kamfanin tsaro Tenable yayi gargadi a cikin nasihar sa game da aibi da aka fara bugawa a ranar 14 ga Maris. Ya buga misali da wasu lahani na Fortinet da yawa - kamar su. CVE-2023-27997, Muhimmancin tushen buffer mai cike da rauni a cikin samfuran Fortinet da yawa, da CVE-2022-40684, aibi tabbatacciyar hanyar wucewa a cikin fasahar FortiOS, FortiProxy, da FortiSwitch Manager - waɗanda suka kasance. masu yin barazana sun yi amfani da su. A gaskiya ma, an sayar da kwaro na ƙarshe don manufar baiwa maharan damar farko ga tsarin.

"Kamar yadda aka fitar da lambar amfani da kuma cin zarafi na Fortinet a baya ta hanyar masu yin barazana, gami da ci gaban barazanar barazana (APT). da kungiyoyin kasa-kasa, muna ba da shawarar sosai don gyara wannan raunin da wuri-wuri, "Boyd ya rubuta a cikin sabuntawa ga shawararsa bayan sakin Horizon.ai.

Fortinet da CISA kuma suna roƙon abokan ciniki waɗanda ba su yi amfani da taga dama ba tsakanin shawarar farko da sakin PoC amfani da su. faci sabobin m ga wannan sabuwar aibi nan da nan.

Don taimakawa ƙungiyoyi su gane idan ana amfani da aibi, Horizon.ai's Horseman yayi bayanin yadda ake gano alamun sasantawa (IoCs) a cikin yanayi. "Akwai fayilolin log iri daban-daban a cikin C: Fayilolin Shirin (x86) FortinetFortiClientEMSlogs waɗanda za a iya bincika don haɗin kai daga abokan cinikin da ba a san su ba ko wasu ayyukan ɓarna," ya rubuta. "Ana iya bincika rajistan ayyukan MS SQL don shaidar xp_cmdshell ana amfani da shi don samun aiwatar da umarni."

tabs_img

Sabbin Hankali

tabs_img

Haƙƙin mallaka @ 2024 Plato Technologies Inc.