Overview
Fortinet announced that the credentials for 87000 FortiGate VPN devices were leaked by a malicious actor.
Description
A malicious actor has recently disclosed the credentials for 87000 FortiGate SSL-VPN devices. According to the company, the credentials were obtained from devices that were unpatched against CVE-2018-13379 at the time of the attacks.
The exploited flaw is an information disclosure vulnerability (CVE-2018-13379) that resides in the FortiOS SSL-VPN. Due to a path traversal flaw, the vulnerability allows attackers to download FortiOS system files (including the VPN access credentials) through specifically crafted HTTP requests.
Fortinet resolved this vulnerability in May 2019 by issuing updates for the vulnerable products. At the time, the company also issued a security bulletin (FG-IR-18-384) that warned the customers of the disclosure of the 87000 credentials for FortiGate SSL-VPN devices. Currently, it is unclear whether the recently disclosed credentials are different from the earlier compromise or not.
After this first announcement, the company issued multiple blog posts (August 2019, July 2020, April 2021 and in June 2021) about the CVE-2018-13379 as the malicious actors continually targeted the FortiOS SSL-VPN devices that were not patched against this vulnerability. In these blog posts customers were repeatedly asked to upgrade their devices and to treat all the credentials that were in use before the upgrades as potentially compromised and reset them organizations-wide.
According to the July 2020 blog post, this vulnerability was also used as an initial attack vector by the APT29 (Cozy Bear) to target various organizations that were developing or conducting research on the COVID-19 vaccine.
The following products for which the SSL-VPN service is enabled are affected from the CVE-2018-13379 vulnerability and should be immediately upgraded.
- FortiOS 6.0 – 6.0.0 to 6.0.4
- FortiOS 5.6 – 5.6.3 to 5.6.7
- FortiOS 5.4 – 5.4.6 to 5.4.12
Impact
An unauthenticated attacker who successfully exploits the CVE-2018-13379 can remotely download FortiOS system files (including the VPN access credentials) through specifically crafted HTTP requests.
Impact Summary
Category: Path Traversal
CVSS 3.1 Base Score: 9.8 Critical
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Solution (Update)
Fortinet recommends taking the following steps immediately to ensure protections against the CVE-2018-13379 vulnerability:
- All VPNs (SSL-VPN or IPSEC) should be disabled until the following remediations have been implemented.
- Affected products should be upgraded to the latest available release.
- All credentials should be treated as potentially compromised and must be reset organization-wide.
- Multi-factor authentication should be implemented to further mitigate compromises against password attacks.
- Users should be informed about the password resets and be warned for not reusing these potentially compromised passwords in other accounts as they can be used in credential stuffing attacks.
The diverse threats we face are increasingly cyber-based. Much of America’s most sensitive data is stored on computers. We are losing data, money, and ideas through cyber intrusions. This threatens innovations and, as citizens, we are also increasingly vulnerable to losing our personal information.
James Comey
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
References to Advisories, Solutions and Tools
- https://nvd.nist.gov (CVE-2018-13379)
- Fortinet Blogs (Malicious Actor Discloses FortiGate SSL-VPN Credentials)
To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?
