Recently, a security researcher has discovered a list of vulnerable FortiGate SSL VPN solutions. This list would be used by hackers to gain access to networks of businesses. This is an older vulnerability, in respect of which there have already been numerous warnings and to which attention has already been drawn several times.
However, we observe that this vulnerability is still actively being used by malicious parties. Moreover, a list has recently been posted online with businesses that may have been affected, as a result of which this threat becomes urgent again. Meanwhile, this list has come in the possession of Tesorion and these businesses were actively informed by us.
On 24 May 2019, Fortinet made a software patch available that solves a software vulnerability in its SSL VPN solution. With the said vulnerability, it is possible to download the login details of active users. With a software vulnerability in the FortiGate SSL VPN solution, it is possible to download the login details of active users of the device. This information can then be used to log in on the solution (and to thus gain access to the business network) or to gain access to other information systems.
Detailed information of vulnerability
The software vulnerability was registered under CVE-2018-13379. The following software versions are vulnerable if the SSL VPN functionality is activated:
- FortiOS 5.4 – 5.4.6 to 5.4.12
- FortiOS 5.6 – 5.6.3 to 5.6.7
- FortiOS 6.0 – 6.0.0 to 6.0.4
With the vulnerability, the login details of active users can be downloaded. It regards the following details:
- Public IP address of the user
The complete recommendation of Fortinet is available here: https://www.fortiguard.com/psirt/FG-IR-18-384
With the help of the information that can be obtained via the vulnerability, the attacker can log in on the SSL VPN solution. This provides the attacker access to the business network. In addition, it is possible that login details provide access to other information systems, e.g. email.
T-CERT detected incidents where the attacker gained access to the environment via this vulnerability after which, for instance, ransomware was installed.
What can you do to prevent or limit potential damages?
Make sure that you update the software of your FortiGate to the following versions:
- FortiOS 5.4.13
- FortiOS 5.6.8
- FortiOS 6.0.5
- FortiOS 6.2.0
Then also carry out the following actions:
- Reset the passwords of users of the SSL VPN solution
- Activate multi-factor authentication for the SSL VPN solution
Having regard to the simplicity and age of the vulnerability, it is highly plausible that malicious parties already have (have already had) access to your business network. That is why T-CERT recommends securing log files of the FortiGate and additional systems and analysing them on malicious activities. If so required, T-CERT can assist you with this.