On the 2nd April, 2021, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), jointly warn admins and users that the state-sponsored hacking groups are "likely" exploiting Fortinet FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.
The attackers are enumerating servers unpatched against CVE-2020-12812 and CVE-2019-5591, and scanning for CVE-2018-13379 vulnerable devices on ports 4443, 8443, and 10443.
How it works
The joint advisory stated that the bug tracked as CVE-2018-13379 is a path-traversal issue in Fortinet FortiOS, where the SSL VPN web portal allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests. Whereas, the CVE-2019-5591 flaw is a default-configuration vulnerability in FortiOS that could allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.
And finally, CVE-2020-12812 is an improper-authentication vulnerability in SSL VPN in FortiOS, which could allow a user to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username
To Immediately patch CVEs 2018-13379, 2020-12812,and 2019-5591.
For more information on about this alert and possible solutions you can follow this URL:
The Guyana National CIRT recommends that users and administrators review this alert and apply the solutions where necessary.
FBI-CISA Joint Advisory on Exploitation of Fortinet FortiOS Vulnerabilities (2nd April, 2021). Retrieved from
FBI and CISA warn of state hackers attacking Fortinet FortiOS servers (2nd April, 2021). Retrieved from Bleepingcomputer.
FBI: APTs Actively Exploiting Fortinet VPN Security Holes(2nd April, 2021). Retrieved from Threatpost.