SOC Advisory – FortiOS Vulnerability and “Mum I dropped my phone” scam

In this advisory we provide information around a recent Fortinet ForiOS related advisory.

For our Educational customers (and those from other industries that would like to provide some general awareness to their staff), we have included information around a recent “Mum I dropped my phone” advisory. Another attempt to scam victims and provide financial gain to various third parties. It has all of the hallmarks of success, invoking a sense of urgency and imitating a close and often dependent family member.

FortiOS – Buffer overflow in execute extender command

Although not as significant as previous vulnerabilities, this vulnerability, assigned CVE-2023-29182 (scored 6.4) may allow a privileged attacker to execute arbitrary code via specially crafted CLI commands, provided the attacker were able to evade FortiOS stack protections.

Impacted Version(s)

• FortiOS version 7.0.0 through 7.0.3
• FortiOS 6.4 all versions
• FortiOS 6.2 all versions

Mitigation/ Remediation Strategies

We would recommend that all partners running an impacted version, complete their upgrade activities as soon as practical.

• Impacted version: FortiOS version 7.0.0 through 7.0.3 – upgrade to FortiOS version 7.4.0 or above
• Impacted version: FortiOS 6.4 all versions – upgrade to FortiOS version 7.2.0 or above
• Impacted version: FortiOS 6.2 all versions – upgrade to FortiOS version 7.0.4 or above

Further reading

Further information can be found on the following links:

• https://www.fortiguard.com/psirt/FG-IR-23-149
• https://code610.blogspot.com/2023/04/fuzzing-fortigate-7.html

“Mum I dropped my phone” scam and phishing

The NZ Cert recently released an advisory to their NZ audience around an SMS scam and phishing campaign.

We have seen similar attack methods within Australia via SMS, WhatsApp and various other social platforms.

We would recommend that our educational customer (specifically) be aware of this campaign and would encourage awareness of the campaign across their communities.

And not to be alarmist, but as you would be aware, Technology is moving apace. In a similar vein, preying on family emotions, as highlighted in the Cert NZ advisory, there has been an uptick in the use technology by bad actors to mimic voices, convincing people, often the elderly, that loved ones may be in distress. We’ve included a link below to an article around AI voice scams to keep awareness of this emerging attack vector top of mind.

Further reading

Further information can be found on the following links:

• https://www.cert.govt.nz/individuals/alerts/mum-i-dropped-my-phone-sms-scam-targeting-new-zealanders
• https://www.washingtonpost.com/technology/2023/03/05/ai-voice-scam/