Operating System:

[Appliance]

Published:

10 September 2021

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ASB-2021.0179 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2021.0179
         FortiGate SSL-VPN Credentials Leaked by a Malicious Actor
                             10 September 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          FortiOS
Operating System: Network Appliance
Impact/Access:    Access Confidential Data -- Remote/Unauthenticated
Resolution:       Patch/Upgrade
CVE Names:        CVE-2018-13379  
Reference:        ESB-2019.1891.3

OVERVIEW

        Fortinet have announced that "a malicious actor has recently 
        disclosed SSL-VPN access information to 87,000 FortiGate SSL-VPN 
        devices." [1]
        
        This has made the rounds via various publications over the last few 
        days and the leaked credential data is available in the wild. [2][3][4]


IMPACT

        Fortinet advise that credentials were obtained by exploiting 
        FG-IR-18-384 / CVE-2018-13379 which was resolved in May 2019. [1] 
        
        This vulnerability allowed "an unauthenticated attacker to download 
        FortiOS system files through specially crafted HTTP resource 
        requests." [5][6]
        
        If at any time the following FortiOS products were running it is possible 
        that credentials were compromised:
        FortiOS 6.0 - 6.0.0 to 6.0.4
        FortiOS 5.6 - 5.6.3 to 5.6.7
        FortiOS 5.4 - 5.4.6 to 5.4.12 [1][5]
        
        ACSC state "It is unknown exactly when the suspected exploitation activity 
                    occurred for each identified FortiNet device in the list." [4]
        
        Multiple blogs have been published by Fortinet since the initial vulnerability 
        disclosure encouraging customers to upgrade their devices. A blog from 16/7/2020 
        mentioned that the vulnerability was being targeted by ATP 29. [7][8][9][10]


MITIGATION

        Fortinet recommends taking the following remediation steps:
        "1 Disable all VPNs until the following remediation steps have been taken.
         2 Immediately upgrade affected devices to the latest available release, 
           as detailed below.
         3 Treat all credentials as potentially compromised by performing an 
           organization-wide password reset.
         4 Implement multi-factor authentication, which will help mitigate the abuse
           of any compromised credentials, both now and in the future.
         5 Notify users to explain the reason for the password reset and monitor services 
           such as HIBP for your domain. There is the potential that if passwords have been
           reused for other accounts, they could be used in credential stuffing attacks." [1]
        
        Fortinet advise that if at any time a vulnerable version of FortiOS was 
        running that the recommended password reset is performed:
        "Fortinet is reiterating that, if at any time your organization was running 
        any of the affected versions listed below, even if you have upgraded
        your devices, you must also perform the recommended user password 
        reset following upgrade, as per the customer support bulletin and 
        other advisory information. Otherwise, you may remain vulnerable 
        post-upgrade if your users' credentials were previously 
        compromised." [1]


REFERENCES

        [1] Malicious Actor Discloses FortiGate SSL-VPN Credentials
            https://www.fortinet.com/blog/psirt-blogs/malicious-actor-discloses-fortigate-ssl-vpn-credentials

        [2] Hackers Leak VPN Account Passwords From 87,000 Fortinet FortiGate
            Devices
            https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html

        [3] Hackers leak passwords for 500,000 Fortinet VPN accounts
            https://www.bleepingcomputer.com/news/security/hackers-leak-passwords-for-500-000-fortinet-vpn-accounts/

        [4] Suspected user credentials stolen from FortiNet devices leaked
            online
            https://www.cyber.gov.au/acsc/view-all-content/alerts/suspected-user-credentials-stolen-fortinet-devices-leaked-online

        [5] FortiOS system file leak through SSL VPN via specially crafted HTTP
            resource requests
            https://www.fortiguard.com/psirt/FG-IR-18-384

        [6] UPDATE Fortigate SSL VPN: Multiple vulnerabilities
            https://www.auscert.org.au/bulletins/ESB-2019.1891.3

        [7] FortiOS and SSL Vulnerabilities
            https://www.fortinet.com/blog/psirt-blogs/fortios-ssl-vulnerability?utm_source=blog&utm_campaign=fortios-ssl-vulnerability

        [8] ATP 29 Targeting SSL VPN Flaws
            https://www.fortinet.com/blog/psirt-blogs/atp-29-targets-ssl-vpn-flaws?utm_source=blog&utm_campaign=atp-29-targets-ssl-vpn-flaws

        [9] Patch and Vulnerability Management
            https://www.fortinet.com/blog/psirt-blogs/patch-vulnerability-management?utm_source=blog&utm_campaign=patch-vulnerability-management

        [10] Prioritizing Patching is Essential for Network Integrity
             https://www.fortinet.com/blog/psirt-blogs/prioritizing-patching-is-essential-for-network-integrity

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYTrlXuNLKJtyKPYoAQjbLRAAjqAqgmg1Gy9D61D87jbLOLQeAwSztn0G
MggMeLqy8gEVc6U0T1F6uOj3YPF11ofE+YEc2yH7NdqpuWRRo24FTblg/T+IDZlX
WRMyJykgLI12D/Cd/QElqc/FK4g5EUxZs+HqaeaiW1SLV0vi0uYL9nq16JOKgIKe
hG2D4zzG1lbMwGP6u03As1o0RU51ffP/l81XfI9+v+fPGZb+pqhdPqrw14FvfyeX
I3/m9OZpruy2B8T8mgaApdwGqpLiB5bbg3bcIUTNC7P9h61VLUtu3ByNzvYiV3Vz
BIpnO6BANg5kmjbV1z7gX8yvlHA9/7syMZ5yr/9ll/ToJZr6t5slPobm5mvXZAeZ
WpGmsiCx9Lg6ljEhIqjQoUfnKsxDNzov/9Ti3/1Z9TItyukQHKTXg/4x1FEp0TUS
5z0nNQ6j2kogxkvPTQz/oJzzU7K8tfcjOiNTe4s7cZ1klbdqbn7DqF117ecI+Q/o
pF44PzymOE/jvW8nY0nYQ9dgRwNPJ7vVRpB0MG6aeYUQazmAw/X079t36FOpOqdr
RGmTAi3NKjaUtl/t+HYIpcBcm1VMjabsApqi2lsuy7z0XvFmIamCqN0w4ZI0IVdZ
CBoh31VjCnB8xwCtC/OKZotUHUhKycti2xKz5wsO46te+rPyZ6Iv9Kme4k23FIGi
orbcIeu/pPw=
=ogI7
-----END PGP SIGNATURE-----