Password Exposure for Fortinet Devices Vulnerable to CVE-2018-13379

About

According to Cybersecurity and Infrastructure Security Agency (CISA), vulnerability CVE-2018-13379 is causing password exposure on Fortinet devices. This exposure may allow unauthenticated attackers to access and download FortiOS system files through specifically crafted HTTP resource requests. These effected devices may be located in the United States.

Addressing this possible password vulnerability, Fortinet has released a PSIRT advisory to summarize and provide mitigation processes. CISA is advising all users and administrators to review this advisory for affected products, complete necessary updates, and conduct a thorough review of connected networks. 

This hack has exposed credentials for almost 50,000 Fortinet Inc. FortiGate virtual private networking systems connected to the internet. Using a known vulnerability (CVE-2018-13379), these networking systems can be exploited by unauthenticated attackers. 

Vulnerable Products

  • FortiOS 6.0 – 6.0.0 to 6.0.4 
  • FortiOS 5.6 – 5.6.3 to 5.6.7 
  • FortiOS 5.4 – 5.4.6 to 5.4.12 

Note: Branches and versions other than above are not impacted. This vulnerability exists only if the SSL VPN service (web-mode or tunnel-mode) is enabled. 

Solution

  • Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5, or 6.2.0 and above 

Code to exploit this vulnerability to obtain the credentials of logged- in SSL VPN users was disclosed. If you choose not to update to the versions listed above, you can mitigate the impact of this password exposure by enabling MFA/2FA for SSL VPN users. This would stop attackers from using stolen credentials to impersonate SSL VPN users.   

Workarounds

  • Completely disable the SSL-VPN service (both web-mode and tunnel-mode) by applying the following CLI commands: 
    • config vpn ssl settings
    • unset source-interface
    • end

To successfully execute the above sequence, firewall policies tied to SSL VPN will need to be unset first. 

What This Means to our Partners

With nearly 50,000 FortiGate credentials exposed in this hack, the attackers can bypass the restricted location to access files and directories throughout the system. This data leak has affected records belonging to banks, telecommunication companies, and government organizations. Leaked data includes session-related information and plain-text credentials of Fortinet VPN users. 

The current advisory is asking Fortinet customers to immediately upgrade their FortiGate systems to the versions listed in the Solution section of this post and validate their SSL VPN local users through multi-factor authentication. Password resets are also highly recommended for all Fortinet customers as a further solution to the password exposure on Fortinet devices caused by CVE-2018-13379.

Get More Information

https://www.bleepingcomputer.com/news/security/hacker-posts-exploits-for-over-49-000-vulnerable-fortinet-vpns/

BlackPoint Cyber