Getty Images

DHS CISA: Fortinet VPN Vulnerability Poses Password Exposure Risk

Disclosed in 2019, a vulnerability found in certain Fortinet VPN devices could allow an attacker to steal data, including passwords, if left unpatched.

The Department of Homeland Security Cybersecurity and Infrastructure Agency recently released an alert, warning all private sector organizations of a vulnerability found in certain Fortinet devices that poses an exposure risk to system files, including passwords.

The alert refers to CVE 2018-13379, previously disclosed in 2019 and found in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12 devices. The flaw is caused by an improper limitation of a pathname to a restricted directory, or path traversal, under the SSL Virtual Private Network (VPN) web portal.

Fortinet has continued to urge a software update for these vulnerable devices since its initial disclosure in 2019.

A successful exploit would allow an attacker to download system files by leveraging specially crafted HTTP resource requests. According to the latest DHS CISA alert, the agency is aware of the possible exposure of passwords through these vulnerable devices, particularly in the US.

To exploit the vulnerability, an attacker would first need to obtain the credentials of logged-in SSL VPN users.

Just last month, the FBI and DHS CISA warned that advanced persistent threat (APT) actors were targeting government networks, critical infrastructure, and election organizations by chaining vulnerabilities -- a method of exploiting multiple vulnerabilities in one single cyberattack, including the Fortinet flaw.

At that time, CISA was aware of several successful attacks leveraging this tactic.

Fortinet previously provided a security advisory, which recommended system upgrades to versions 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above. For healthcare and other organizations, where patching continues to prove challenging, Fortinet also released a recommended workaround to prevent an exploit.

To apply the only temporary workaround, administrators will need to completely disable the SSL-VPN service for both the web-mode and the tunnel-mode. The firewall policies for the SSL-VPN will first need to be reset to successfully execute the mitigation.

“In absence of upgrading to the versions listed above, mitigating the impact of this exploit can be done by enabling two-factor authentication for SSL VPN users,” the advisory explained. “An attacker would then not be able to use stolen credentials to impersonate SSL VPN users.”

CISA further recommended administrators conduct a thorough review of system logs on any connected networks to detect any additional threat actor activity.

It’s imperative for healthcare organizations to take action to secure these devices, as several security researchers reported hacking groups have posted passwords stolen from vulnerable devices on the dark web for sale several days ago.

On November 19, a researcher took to Twitter to warn users that a hacker shared a list of 49,577 vulnerable Fortinet devices and also claimed to have stolen the credentials from these stolen devices. The researcher also noted that these credentials were spreading via a range of dark web forums.

Another threat actor then shared the plaintext credentials related to vulnerable Fortinet devices on the dark web.

Stolen credentials can not only be leveraged on vulnerable devices. Hackers may also attempt to break into networks using stolen credentials, as employees are notorious for reusing passwords on multiple accounts.

The National Security Agency previously released insights on how to best secure IPSec VPNs, telework, and remote sites, in light of the rise in remote work amid the COVID-19 crisis. Organizations should leverage the guidance to find best practice mitigation, including proper VPN configuration, reducing the attack surface, and policies.

Next Steps

Dig Deeper on Cybersecurity strategies