The security of our customers is our first priority. The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have released a Joint Cybersecurity Advisory (CSA) to warn users and administrators of the likelihood that advanced persistent threat (APT) actors are actively exploiting known Fortinet FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.
The following Common Vulnerabilities and Exposures (CVE) are included in the joint CSA:
o CVE-2018-13379, a path traversal vulnerability (Common Vulnerability Scoring System base score of 9.8);
o CVE-2020-12812, an improper authentication vulnerability (CVSS base score of 9.8); and
o CVE-2019-5591, a default configuration vulnerability (CVSS base score of 7.5).
A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.
FortiOS 6.0 - 6.0.0 to 6.0.4
FortiOS 5.6 - 5.6.3 to 5.6.7
FortiOS 5.4 - 5.4.6 to 5.4.12
(other branches and versions than above are not impacted)
ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled.
Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.
More details can be found at https://www.fortiguard.com/psirt/FG-IR-18-384.
A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.
FortiOS 6.2.0 and below.
Upgrade to FortiOS 6.2.1 and above.
More details can be found at https://www.fortiguard.com/psirt/FG-IR-19-037
· CVE-2020-12812/ FG-IR-19-283
An improper authentication vulnerability in SSL VPN in FortiOS may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.
This happens when two-factor authentication is enabled in the "user local" setting, and that user authentication type is set to a remote authentication method (eg: ldap).
The issue exists because of inconsistent case sensitive matching among the local and remote authentication.
FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below
Upgrade to the following FortiOS version:
6.4.1 or later
6.2.4 or later
6.0.10 or later
More details can be found at https://www.fortiguard.com/psirt/FG-IR-19-283
Fortinet customers are advised to upgrade to the recommended FortiOS versions to mitigate against these vulnerabilities and exploits.
This article describes how to use a custom Event Handler and Report in FortiAnalyzer to detect attack attempts to exploit SSL VPN Vulnerabilities in FortiOS.
The Event Handler and Report will:
To apply fixes for configuration vulnerabilities in CVE-2019-5591 and CVE-2020-12812, please visit the FortiGuard link above for recommendations. Additionally, visit the FortiGuard link corresponding to CVE-2018-13379 for info on mitigating the vulnerability.
What is included in Outbreak_Alerts_FortiOS_SSLVPN-Vulnerability.zip?
This event handler helps detect attempts at exploiting CVE-2018-13379, based on FortiGate IPS signature detection.
It includes the following IPS signature:
A Threat Hunting Report to summarize:
All screen shots provided below for illustration purposes are taken from FortiAnalyzer 6.4.4.
1) Download the Outbreak_Alerts_FortiOS_SSLVPN-Vulnerability.zip file (contains 2 files)
2) Unzip Outbreak_Alerts_FortiOS_SSLVPN-Vulnerability.zip
3) Use Outbreak_Alerts_SSLVPN-Vulnerability_Detection.json to import into Event Handlers
a. Choose an ADOM (if ADOMs are enabled)
b. Choose the FortiSOC module
c. Select Event Handler List
d. Select the Import option under "More"
e. Select Outbreak_Alerts_SSLVPN-Vulnerability_Detection.json
Result: Outbreak_Alerts_SSLVPN-Vulnerability_Detection.json is enabled and will be triggered if the appropriate logs are received after the event handler was imported
4) Use Outbreak_Alerts_FOS-Vulnerabilities_Report.dat to import into Reports
a. Choose a Fabric ADOM (if ADOMs are enabled)
b. Choose the Report module
c. Select the Import option under "More"
d. Select Outbreak_Alerts_FOS-Vulnerabilities_Report.dat
Result: ‘Outbreak_Alerts_FOS-Vulnerabilities_Report' can be run anytime as determined by an admin user.