ANNOUNCEMENT: Security On-Demand Announces Grant Award of $1.2 Million | SEE RELEASE →

HR Photos for Marina (3)

Fortinet VPN Credential Compromise and Leak

10 September, 2021

Event Summary

Threat actors have obtained and leaked almost 500,000 Fortinet VPN credentials, including user names and passwords.  They were able to obtain these credentials via a previously disclosed vulnerability, CVE-2018-13379, labeled as a FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests.   At this time, the majority of the leaked credentials are from non-U.S. countries, but Security On-Demand would like to confirm that patches have been applied and that all Fortinet SSL VPN credentials have been updated.

Details

CVE-2018-13379 – FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests

This is a path traversal vulnerability in the FortiOS SSL VPN web portal.  If successfully exploited, an unauthenticated attacker could download FortiOS system files via a specially crated HTTP resource request. Once obtained, threat actors may retrieve session files containing usernames and passwords stored in plain text.

This vulnerability was published and rectified in May of 2019, but exploitations of unpatched systems have occurred since. Fortinet has issued a series of security advisories since the initial publication urging customers to upgrade affected appliances.

Affected Products

FortiOS 6.0 – 6.0.0 to 6.0.4
FortiOS 5.6 – 5.6.3 to 5.6.7
FortiOS 5.4 – 5.4.6 to 5.4.12

(other branches and versions than above are not impacted)

Please note: Exploitation is possible only if the SSL VPN service (web-mode or tunnel-mode) is enabled.

The credentials in the leak were obtained from unpatched systems against this vulnerability. If patches were applied post publication, systems may still be vulnerable if password resets have not occurred.

Recommendations

Fortinet strongly recommends to upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.  Also, treat all credentials as potentially compromised and perform an organization-wide password reset, implementing multi-factor authentication to reduce the abuse of compromised credentials now and in the future.

Password resets following the upgrade are critical if any credentials have been compromised.

If upgrading and MFA implementation is not possible at this time, the only mitigation is to disable all VPN (SSL-VPN or IPSEC) until the above recommendations can be followed.  Fortinet has provided workaround details to disable the SSL-VPN, which can be found here.

SOD Actions

The Security On-Demand Threat Recon Unit will continue to monitor these events and provide relevant updates.  SOD is not affected by this vulnerability.

SOD strongly recommends upgrading your Fortinet FortiOS platforms to unaffected versions, performing a full password reset, and implementing multi-factor authentication to mitigate current or future credential compromises.

Sources

CVE-2018-13379 – Fortinet vulnerability reference

NVD – CVE-2018-13379 – NIST vulnerability publication

Bleeping Computer – Fortinet VPN Hacker Leak