6 April 2021
Executive Summary
The FBI recently released a joint cybersecurity advisory disclosing that several Advanced Persistent Threat (APT) groups are actively scanning devices for three FortiOS vulnerabilities. It is advised that anyone who has not already applied patches for these vulnerabilities to apply them immediately.
Details
The three vulnerabilities in question are as follows:
Description: An improper limitation of a pathname allows path traversal to restricted directories. It allows an unauthenticated attacker to download system files via a crafted HTTP request.
Affected Versions: Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12
Description: A default configuration vulnerability might allow an unauthenticated attacker on the same subnet to conduct a man-in-the-middle-attack by impersonating the LDAP server.
Affected versions: FortiOS 6.2.0 and below.
Description: An improper authentication vulnerability in SSL VPN in FortiOS may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.
Affected version: FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below.
The APT actors may use any or all of these vulnerabilities to gain access to key networks as pre-positioning for follow-on attacks. APT actors may use other techniques in conjunction with these vulnerabilities to gain access to critical infrastructure networks in order to conduct additional malicious activity.
Recommendations
Immediately patch CVEs 2018-13379, 2020-12812, and 2019-5591. If FortiOS is not used by your organization, add key artifact files used by FortiOS to your organization’s execution deny list. Prevent any attempt to install or run the program or associated files. Maintain offline backups. Segment your network and apply adequate access controls and permissions to the installation of local executables. Provide proper security awareness training to your staff, specifically on recognizing and avoiding phishing emails.
SOD Actions
We are actively searching for any indicators of this threat on your systems, and we will let you know immediately if we see any sign of the attack indicators. If you have not heard from our team, then we do not currently see any sign of this attack taking place in your environment.
As more information is made available, the Security On-Demand Threat Recon Unit will continue to notify you of any crucial updates. We highly recommend patching these vulnerabilities immediately if regular patching has not already been applied. Please contact us if you have any questions or concerns.
Sources
https://www.fortiguard.com/psirt/FG-IR-19-283
