The system that for years has protected our digital business is now vulnerable to advanced persistent threat (APT) actors and soon may be a victim of potential attacks. The FBI and the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), in a joint alert, have recently warned that threat actors are actively exploiting unpatched Fortinet vulnerabilities to gain network access.

Who should be concerned about the Fortinet vulnerabilities?

According to FBI and CISA, APT actors are performing multiple device scans on ports 4443, 8443, and 10443 for unpatched security implementations in the Fortinet cybersecurity operating system called FortiOS.

Owing to this information, almost all users of the Fortinet product are vulnerable to potential threats. However, three specific bugs, two out of which are critical for data exfiltration, have been identified to be actively exploited by attackers – CVE-2018-13379, CVE-2020-12812 and CVE-2019-5591. “It is likely that the APT actors are scanning for these vulnerabilities to gain access to multiple government, commercial and technology services networks,” according to the alert.

What is a CVE?

CVEs, overseen by Mitre Corporation, are Common Vulnerabilities and Exposures are publicly disclosed computer security flaws that help IT professionals to prioritize vulnerabilities.

You should be concerned about the vulnerability if you are:

• Using Fortinet FortiOS for enterprise security, endpoint security, cloud deployments, and centralized networks security.
• Not applying the patches that have been issued by Fortinet as FortiOS builds remain open to compromise without those fixes.

What Fortinet vulnerabilities you should be concerned about?

In previously known campaigns, threat actors have leveraged these vulnerabilities in chained cyberattacks to conduct DDoS attacks, ransomware attacks, SQL injection attacks, multiple website defacements, and disinformation campaigns.

However, for the current scenario, the APT actors are attempting to leverage the Fortinet SSL VPN security holes to gain network access. This allows the attackers to pre-position and gain foothold on critical infrastructure networks of users for follow-on data exfiltration attacks.

Technical Details of the Fortinet FortiOS Vulnerabilities

The vulnerabilities in the Fortinet VPN – CVE-2018-13379, CVE-2020-12812 and CVE-2019-5591 – allow an APT actor to obtain valid login credentials or even bypass multifactor authentication (MFA), and man-in-the-middle (MITM) authentication traffic.

Initial Attack Vector: The FortiOS SSL VPNs that are used mainly for perimeter firewalls have been analyzed to contain a CVE-2018-13379 vulnerability that can be used by attackers to extract the session file of the VPN gateway. Such session files often contain login credentials including passwords in plaintext. It is worth noting that the Fortinet devices are vulnerable to traversal attacks.

Lateral Movement: After gaining the credentials of the enterprise network through the VPN gateway, attackers can access the credentials of Windows users who would have previously logged in to the compromised system. In another case, the attacker can immediately gain access to shared services such as Active Directory and LDAP if the VPN credentials are active.

*Encryption and Reconnaissance have not been discussed in this advisory because the vulnerabilities have not yet been exploited by the threat actors to full extent.

List of Bugs in Fortinet FortiOS – Explained for Administrators

• CVE-2018-13379: It is a path-traversal issue, an Improper Limitation of a Pathname in Fortinet FortiOS versions 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12. This bug has been noticed in the SSL VPN web portal that opens a hole for attackers to download system files by reading the /dev/cmdb/sslvpn_websession file through specially crafted HTTP requests.
• CVE-2019-5591: It is a default-configuration vulnerability noticed in FortiOS that may allow an attacker on the same subnet to inherit sensitive data by impersonating the LDAP server. Attack vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
• CVE-2020-12812: It is an improper-authentication vulnerability in SSL VPN in FortiOS versions 6.4.0, 6.2.0 to 6.2.3, 6.0.9 that may allow an APT actor to log in successfully without a second factor of authentication. The particular service of Fortinet, FortiToken, may have a broken authentication and session management layer that leads to this vulnerability in FortiOS.

How to Mitigate and Prevent the Fortinet Vulnerabilities and Risks?

Powered by purpose-built forensic information pillars that accelerate cybersecurity reach and industry-leading threat intelligence by SISA Information Security, our consultants provide effective mitigation steps against the vulnerabilities in Fortinet. Learn how you can identify if your system is affected, and how to prevent and mitigate the vulnerabilities.

How to Know If You Are Affected?

It is the network perimeter that may serve as the first layer of intrusion for any Fortinet vulnerability. Thus, always check your Fortinet device logs for old and new requests which may indicate SSL VPN credentials being compromised.

Additionally, threat hunting teams and administrators can check access logs for SSL VPN services and identify any unexpected connections that may indicate compromised credentials of the VPN.

There are more than 480,000 Fortinet servers operating on the internet, especially across end users and medium-sized enterprises in Asia and Europe. Therefore, it should be a regular activity for all business associates and users of Fortinet to identify if the vulnerability in Fortinet FortiOS has affected them.

How to Prevent a Potential Fortinet FortiOS Breach?

• Patch your Fortinet devices for CVEs 2018-13379, 2020-12812 and 2019-5591.
• Once patched, adopt a security practice to frequently change the passwords of any local SSL VPN users.
• Add key artifact files used by FortiOS to your network’s execution-deny list.
• As a temporary preventive technique, disable the SSL VPN service until the services are secured for risk mitigation (both web and tunnel-mode) by applying the following commands:
  – config vpn ssl settings
  – unset source-interface
  – end

How to Mitigate Risks Associated with Fortinet Vulnerabilities?

• VPN services, fundamentally, should be configured to use Multi-Factor Authentication (MFA).
• Password-protect backup data and ensure that critical or sensitive data is nor allowed for modification from the primary system.
• Implement network segmentation and perform frequent comprehensive network audits. Restrict third-party access or facilitate vendors to access the network through a secure portal.
• Install updates and patch for operating systems and firmware as patches are released by the host software provider.
• Disable unused remote access systems/Remote Desktop Protocol (RDP) ports and monitor the logs.
• Audit user accounts with administrative privileges and apply least privilege for access.

About SISA

SISA is a global Forensic Driven Cyber Security Company, trusted by organizations across the globe since 2003 for securing their businesses with robust preventive, detective, and corrective security services and solutions. SISA currently serves 2000+ clients across 40+ countries through its delivery centers in the U.S.A, U.K, Bahrain, U.A.E, Saudi Arabia, India, Singapore, and Australia.

Please feel free to contact us should you require further information or assistance in this regard. For technical information on some of the Indicators of Compromise or potential Reconnaissance factors, please contact us at contact@sisainfosec.com