AL2021_10 Security Vulnerabilities in the Fortinet SSL VPN (2nd April, 2021)

Description

On the 2nd April, 2021, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), jointly warn admins and users that the state-sponsored hacking groups are "likely" exploiting Fortinet FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.

Summary

The attackers are enumerating servers unpatched against CVE-2020-12812 and CVE-2019-5591, and scanning for CVE-2018-13379 vulnerable devices on ports 4443, 8443, and 10443.

How it works

The joint advisory stated that the bug tracked as CVE-2018-13379 is a path-traversal issue in Fortinet FortiOS, where the SSL VPN web portal allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests. Whereas, the CVE-2019-5591 flaw is a default-configuration vulnerability in FortiOS that could allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.

And finally, CVE-2020-12812 is an improper-authentication vulnerability in SSL VPN in FortiOS, which could allow a user to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username

Solution

To Immediately patch CVEs 2018-13379, 2020-12812,and 2019-5591.

For more information on about this alert and possible solutions you can follow this URL:

https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios

The Guyana National CIRT recommends that users and administrators review this alert and apply the solutions where necessary.

References

FBI-CISA Joint Advisory on Exploitation of Fortinet FortiOS Vulnerabilities (2nd April, 2021). Retrieved from

https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios

FBI and CISA warn of state hackers attacking Fortinet FortiOS servers (2nd April, 2021). Retrieved from Bleepingcomputer.

https://www.bleepingcomputer.com/news/security/fbi-and-cisa-warn-of-state-hackers-attacking-fortinet-fortios-servers/

FBI: APTs Actively Exploiting Fortinet VPN Security Holes(2nd April, 2021). Retrieved from Threatpost.

https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/