Old vulnerability haunts unpatched FortiOS installations

Atharva Chincholkar November 27, 2020 Uncategorized

In 2018, a vulnerability (CVE-2018-13379) allowed attackers to read FortiOS files without authentication by sending a carefully crafted HTTP request. This vulnerability only existed in the SSL VPN. It affected FortiOS version 5.6.3 to FortiOS version 6.0.4.

According to CloudSEK this vulnerability has come back to haunt networks that use FortiOS and missed the memo in 2018, leaving them open to attacks. More than 49000 vulnerable targets for this particular CVE, were listed for sale on a hacking forum. These are the easy targets for attackers to make a huge profit by acquiring and selling sensitive data, or just hold the network ransom.

FortiOS SSL VPN vulnerability

The path traversal vulnerability allowed unauthorized access to passwd and shadow files stored inside the FortiOS, along with any private keys stored. These files may also contain the login information of the users on the FortiOS and can be read by using this vulnerability.

At the very least, attackers can cause serious downtime once they are in the network, they might deploy ransomware or exfiltrate sensitive data. The failure of even one endpoint may lead to the whole domain being taken over.

Bank_Security found that, in a later post, the hacker dumped login details from these vulnerable machines containing usernames, passwords with "full-access" privilege level and IP addresses of users of the VPN.

Source : @Bank_Security

Among the victims, there are some banks, government domains and many companies around the world.

Secure Authentication with PureID

The usernames and passwords dumped (ab)using CVE2018- are being used to get access to the network even after the vulnerability is patched. VPNs being the first line of defense for any enterprise, do not leave it at the mercy of 2FA/MFA which can be easily bypassed. Go passwordless with PureID. Stolen passwords won’t affect you if there are no passwords.

You can check out our integrations for other popular VPNs PaloAlto, OpenVPN.

Share the post    
Previous Post
As reported by Zscaler in April 2020, a significant increase (about 85%) in phishing attacks were seen, targeting remote workers. Attackers had registered domains featuring Covid-19 related keywords such as “virus”, “vaccine” etc. in order to steal credentials, disseminate malware, most notably ransomware for conducting financial frauds. With ever-growing advanced spear-phishing attacks, vulnerabilities like Address […]
About SolarWinds: SolarWinds is an American company that provides IT management and administration software that can be used by the Sysadmins and IT administrators in their organization. The reach of the SolarWinds Products is quite high and their products are used by many fortune-500 companies, spreading across the globe. What is Supply Chain Attack: Supply […]