Three security vulnerabilities in the FortiOS used in Fortinet SSL VPN are currently being observed to be exploited by advanced persistent threat (APT) actors. Exploitation of the vulnerabilities, CVE-2018-13379, CVE-2019-5591, and CVE-2020-12812, may provide threat actors to gain a foothold within vulnerable networks before moving laterally and carrying out reconnaissance activity.
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a Joint Cybersecurity Advisory with regards to APT actors, who likely to be using any or all of the CVEs to gain access to vulnerable Fortinet FortiOS servers across multiple critical infrastructure sectors, to gain access to key networks as pre-positioning for follow-on data exfiltration of data encryption attacks. Threat actors are observed to be scanning Fortinet SSL VPN with ports 4443, 8443, and 10443 for CVE-2018-13379, and enumerated devices for CVE-2020-12812and CVE-2019-5591. Successful exploitation of the vulnerabilities could allow threat actors to conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spear phishing campaigns, website defacements, and disinformation campaigns.
A. Nature of the Vulnerabilities
The following vulnerabilities were tracked as:
CVE-2018-13379, a path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.
CVE-2019-5591, a default-configuration vulnerability in FortiOS that could allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.
CVE-2020-12812, an improper-authentication vulnerability in SSL VPN in FortiOS, which could allow a user to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.
B. List of Vulnerable Systems
Vulnerable FortiOS versions are as follows:
· FortiOS 6.0.0 to 6.0.4
· FortiOS 5.6.3 to 5.6.7
· FortiOS 5.4.6 to 5.4.12
· FortiOS 6.2.0 and below
· FortiOS 6.4.0
· FortiOS 6.2.0 to 6.2.3
· FortiOS 6.0.9 and below
C. Actions to be Taken
CERT-PH recommends the following actions be taken:
If using Fortinet SSL VPN, immediately check the current FortiOS version of the product. If the version is stated in the above vulnerable systems, immediately apply the corresponding patch(es) for the affected Fortinet products from the published security advisory from the Fortiguard Advisory (https://www.fortiguard.com/psirt/FG-IR-18-384, https://www.fortiguard.com/psirt/FG-IR-19-283, https://www.fortiguard.com/psirt/FG-IR-19-037)