Fortinet VPN Credential Compromise and Leak
10 September, 2021
Threat actors have obtained and leaked almost 500,000 Fortinet VPN credentials, including user names and passwords. They were able to obtain these credentials via a previously disclosed vulnerability, CVE-2018-13379, labeled as a FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests. At this time, the majority of the leaked credentials are from non-U.S. countries, but Security On-Demand would like to confirm that patches have been applied and that all Fortinet SSL VPN credentials have been updated.
CVE-2018-13379 – FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests
This is a path traversal vulnerability in the FortiOS SSL VPN web portal. If successfully exploited, an unauthenticated attacker could download FortiOS system files via a specially crated HTTP resource request. Once obtained, threat actors may retrieve session files containing usernames and passwords stored in plain text.
This vulnerability was published and rectified in May of 2019, but exploitations of unpatched systems have occurred since. Fortinet has issued a series of security advisories since the initial publication urging customers to upgrade affected appliances.
FortiOS 6.0 – 6.0.0 to 6.0.4
FortiOS 5.6 – 5.6.3 to 5.6.7
FortiOS 5.4 – 5.4.6 to 5.4.12
(other branches and versions than above are not impacted)
Please note: Exploitation is possible only if the SSL VPN service (web-mode or tunnel-mode) is enabled.
The credentials in the leak were obtained from unpatched systems against this vulnerability. If patches were applied post publication, systems may still be vulnerable if password resets have not occurred.
Fortinet strongly recommends to upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above. Also, treat all credentials as potentially compromised and perform an organization-wide password reset, implementing multi-factor authentication to reduce the abuse of compromised credentials now and in the future.
Password resets following the upgrade are critical if any credentials have been compromised.
If upgrading and MFA implementation is not possible at this time, the only mitigation is to disable all VPN (SSL-VPN or IPSEC) until the above recommendations can be followed. Fortinet has provided workaround details to disable the SSL-VPN, which can be found here.
The Security On-Demand Threat Recon Unit will continue to monitor these events and provide relevant updates. SOD is not affected by this vulnerability.
SOD strongly recommends upgrading your Fortinet FortiOS platforms to unaffected versions, performing a full password reset, and implementing multi-factor authentication to mitigate current or future credential compromises.
CVE-2018-13379 – Fortinet vulnerability reference
NVD – CVE-2018-13379 – NIST vulnerability publication