Vulnerability

FortiGate SSL VPN vulnerability CVE-2018-13379

Recently, a security researcher has discovered a list of vulnerable FortiGate SSL VPN solutions. This list would be used by hackers to gain access to networks of businesses. This is an older vulnerability, in respect of which there have already been numerous warnings and to which attention has already been drawn several times.

T-Update

Information about vulnerabilities

Recently, a security researcher has discovered a list of vulnerable FortiGate SSL VPN solutions. This list would be used by hackers to gain access to networks of businesses. This is an older vulnerability, in respect of which there have already been numerous warnings and to which attention has already been drawn several times.

However, we observe that this vulnerability is still actively being used by malicious parties. Moreover, a list has recently been posted online with businesses that may have been affected, as a result of which this threat becomes urgent again. Meanwhile, this list has come in the possession of Tesorion and these businesses were actively informed by us.

Introduction

On 24 May 2019, Fortinet made a software patch available that solves a software vulnerability in its SSL VPN solution. With the said vulnerability, it is possible to download the login details of active users. With a software vulnerability in the FortiGate SSL VPN solution, it is possible to download the login details of active users of the device. This information can then be used to log in on the solution (and to thus gain access to the business network) or to gain access to other information systems.

Customized cyber security

Background

The software vulnerability was registered under CVE-2018-13379. The following software versions are vulnerable if the SSL VPN functionality is activated: FortiOS 5.4 – 5.4.6 to 5.4.12 FortiOS 5.6 – 5.6.3 to 5.6.7 FortiOS 6.0 – 6.0.0 to 6.0.4 With the vulnerability, the login details of active users can be downloaded. It regards the following details: Username Password Public IP address of the user The complete recommendation of Fortinet is available here: https://www.fortiguard.com/psirt/FG-IR-18-384

Risk

With the help of the information that can be obtained via the vulnerability, the attacker can log in on the SSL VPN solution. This provides the attacker access to the business network. In addition, it is possible that login details provide access to other information systems, e.g. email.

T-CERT detected incidents where the attacker gained access to the environment via this vulnerability after which, for instance, ransomware was installed.

Advice

Make sure that you update the software of your FortiGate to the following versions:

  • FortiOS 5.4.13
  • FortiOS 5.6.8
  • FortiOS 6.0.5
  • FortiOS 6.2.0

Then also carry out the following actions:

  • Reset the passwords of users of the SSL VPN solution
  • Activate multi-factor authentication for the SSL VPN solution

Sources

More information:

Sign up to receive T-Updates

Receive the latest vulnerabilities in your email every Wednesday

More than 1,000 organisations have already joined us.

Tesorion uses your data to send the requested information. In addition, your data may be used for commercial follow-up. You can unsubscribe from this at any time via the link in the email. For more information, read our privacy policy.