In 2018, a vulnerability (CVE-2018-13379) allowed attackers to read FortiOS files without authentication by sending a carefully crafted HTTP request. This vulnerability only existed in the SSL VPN. It affected FortiOS version 5.6.3 to FortiOS version 6.0.4.

According to CloudSEK this vulnerability has come back to haunt networks that use FortiOS and missed the memo in 2018, leaving them open to attacks. More than 49000 vulnerable targets for this particular CVE, were listed for sale on a hacking forum. These are the easy targets for attackers to make a huge profit by acquiring and selling sensitive data, or just hold the network ransom.

FortiOS SSL VPN vulnerability

The path traversal vulnerability allowed unauthorized access to passwd and shadow files stored inside the FortiOS, along with any private keys stored. These files may also contain the login information of the users on the FortiOS and can be read by using this vulnerability.

At the very least, attackers can cause serious downtime once they are in the network, they might deploy ransomware or exfiltrate sensitive data. The failure of even one endpoint may lead to the whole domain being taken over.

Bank_Security found that, in a later post, the hacker dumped login details from these vulnerable machines containing usernames, passwords with "full-access" privilege level and IP addresses of users of the VPN.

Source : @Bank_Security

Among the victims, there are some banks, government domains and many companies around the world.

Secure Authentication with PureID

The usernames and passwords dumped (ab)using CVE2018- are being used to get access to the network even after the vulnerability is patched. VPNs being the first line of defense for any enterprise, do not leave it at the mercy of 2FA/MFA which can be easily bypassed. Go passwordless with PureID. Stolen passwords won’t affect you if there are no passwords.

You can check out our integrations for other popular VPNs PaloAlto, OpenVPN.