Fortinet Releases Update to Patch SSL VPN Security Hole
Fortinet has released an update to its FortiOS operating system just before the June patch day. This update addresses a security vulnerability in the SSL VPN, which could allow attackers to inject and execute malicious code from the network.
Charles Fol, one of the discoverers of the vulnerability, has written on Twitter that any SSL VPN appliance can be exploited without prior authentication. The CVE number has already been reserved for this, but further details will follow later.
Preliminary Security Advisory
The vulnerability has not yet been documented on the Fortinet website. However, a preliminary security report on the Olympe Cyberdefense website indicates that it will be released on June 13th, coinciding with Fortinet’s regular patch day in June.
Attackers can bypass multi-factor authentication (MFA) with the vulnerability. The bug-fixed versions of FortiOS are 6.2.15, 6.4.13, 7.0.12, and 7.2.5 or newer. An update to version 6.0.17 is also available, which is surprising since FortiOS 6.0 is at the end of its life cycle.
Reducing Attack Surface
IT managers should apply the available updates as quickly as possible to minimize the attack surface. Fortinet recently distributed two security updates for the May patch day, both of which addressed vulnerabilities deemed to be high risk.
In conclusion, Fortinet’s quick response in patching the SSL VPN security hole is commendable. System administrators are urged to update their systems immediately, as attackers are known to exploit vulnerabilities in security software as soon as details about them become public.
