The FBI and the Cybersecurity and Infrastructure Security Agency said that advanced hackers may use key vulnerabilities in Fortinet FortiOS VPN in order to launch a beachhead attack on medium and large enterprises in subsequent attacks.
These agencies said in the joint consultation: “APT participants may use these vulnerabilities or other common exploitation techniques to gain initial access to a variety of government, commercial and technical services.”
Break through the dust
Fortinet FortiOS SSL VPN is mainly used for border firewalls, which block sensitive internal networks from the public Internet. Two of the three patched vulnerabilities listed in the advisory-CVE-2018-13379 and CVE-2020-12812-are particularly serious because they allow unauthenticated hackers to steal credentials and connect to a VPN that has not yet been updated .
“If VPN credentials are also shared with other internal services (for example, if they are Active Directory, LDAP or similar single sign-on credentials), then the attacker will immediately gain access to these services with the privileges of the user whose credentials were stolen “, said James Renken, website reliability engineer of the Internet Security Research Group. Renken was one of the two people who discovered the third FortiOS vulnerability (CVE-2019-5591). The report said in Friday’s report that it is also likely to be exploited. “The attacker can then browse the network and turn to try to exploit various internal services, etc.”
Researchers Orange Tsai and Meh Chang of the security company Devcore discovered and disclosed one of the most serious security bugs-CVE-2018-13379. The slides in the researchers’ speech at the 2019 Black Hat Security Conference described it as providing “pre-authenticated arbitrary file reading”, which means that attackers can use it to read password databases or other files of interest.
Security company Tenable stated that CVE-2020-12812 may cause exploiters to bypass two-factor authentication and log in successfully.
In an email statement, Fortinet said:
The safety of our customers is our top priority. CVE-2018-13379 is an old vulnerability that was resolved in May 2019. Fortinet immediately released a vulnerability. PSIRT consulting And many times directly communicate with customers through blog posts with the company, August 2019 with July 2020 It is strongly recommended to upgrade. According to the solution, we have been communicating with customers until the end of 2020. CVE-2019-5591 was resolved in July 2019, and CVE-2020-12812 was resolved in July 2020. For more information, please visit our website. Blog And refer immediately Consultation in May 2019. If customers have not done so, we urge them to implement upgrades and mitigation measures immediately.
The FBI and CISA did not provide detailed information about APT mentioned in the joint consultation. The report also stated that there is a “possibility” that threat actors are actively exploiting these vulnerabilities.
Patching vulnerabilities requires IT administrators to make configuration changes, and unless the network used by the organization has more than one VPN device, it will cause downtime. Although these obstacles are usually tricky in environments that require a VPN to be available 24/7, the risk of being hacked into ransomware or spying is greatly increased.