FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
alif
Staff
Staff
Description

The security of our customers is our first priority. The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have released a Joint Cybersecurity Advisory (CSA) to warn users and administrators of the likelihood that advanced persistent threat (APT) actors are actively exploiting known Fortinet FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.

The following Common Vulnerabilities and Exposures (CVE) are included in the joint CSA:

o    CVE-2018-13379, a path traversal vulnerability (Common Vulnerability Scoring System base score of 9.8);

o    CVE-2020-12812, an improper authentication vulnerability (CVSS base score of 9.8); and

o    CVE-2019-5591, a default configuration vulnerability (CVSS base score of 7.5).

 

·         CVE-2018-13379/FG-IR-18-384

A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.

 

Affected Products

FortiOS 6.0 - 6.0.0 to 6.0.4

FortiOS 5.6 - 5.6.3 to 5.6.7

FortiOS 5.4 - 5.4.6 to 5.4.12

(other branches and versions than above are not impacted)

ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled.

 

Solutions

Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.

 

More details can be found at https://www.fortiguard.com/psirt/FG-IR-18-384.

 

·         CVE-2019-5591/FG-IR-19-037

A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.

 

Affected Products

FortiOS 6.2.0 and below.

 

Solutions

Upgrade to FortiOS 6.2.1 and above.

 

More details can be found at https://www.fortiguard.com/psirt/FG-IR-19-037

 

·         CVE-2020-12812/ FG-IR-19-283

An improper authentication vulnerability in SSL VPN in FortiOS may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.

 

This happens when two-factor authentication is enabled in the "user local" setting, and that user authentication type is set to a remote authentication method (eg: ldap).

 

The issue exists because of inconsistent case sensitive matching among the local and remote authentication.

 

Affected Products

FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below

 

Solutions

Upgrade to the following FortiOS version:

6.4.1 or later

6.2.4 or later

6.0.10 or later

 

More details can be found at https://www.fortiguard.com/psirt/FG-IR-19-283

 

Fortinet customers are advised to upgrade to the recommended FortiOS versions to mitigate against these vulnerabilities and exploits.


Scope
The custom Event Handler and Report provided can be used in FortiAnalyzer 6.2 and FortiAnalyzer 6.4.

See the Solution section for instruction on how to load these into a FortiAnalyzer.

Solution

This article describes how to use a custom Event Handler and Report in FortiAnalyzer to detect attack attempts to exploit SSL VPN Vulnerabilities in FortiOS.

The Event Handler and Report will:

  1. Detect and report on IPS events of attempts to exploit CVE-2018-13379
  2. Report on FortiGate OS versions that are vulnerable to the above vulnerabilities
  3. NOT detect whether configuration has been applied to fix configuration vulnerabilities.

To apply fixes for configuration vulnerabilities in CVE-2019-5591 and CVE-2020-12812, please visit the FortiGuard link above for recommendations. Additionally, visit the FortiGuard link corresponding to CVE-2018-13379 for info on mitigating the vulnerability.

 

What is included in Outbreak_Alerts_FortiOS_SSLVPN-Vulnerability.zip?

 

1. Outbreak_Alerts_SSLVPN-Vulnerability_Detection.json

This event handler helps detect attempts at exploiting CVE-2018-13379, based on FortiGate IPS signature detection. 

 

It includes the following IPS signature:

FortiOS.SSL.VPN.Web.Portal.Pathname.Information.Disclosure

 

2. Outbreak_Alerts_FOS-Vulnerabilities_Report.dat

A Threat Hunting Report to summarize:

    • Affected FortiGates by vulnerabilities detection
    • SSL VPN Vulnerability IPS detection

 

All screen shots provided below for illustration purposes are taken from FortiAnalyzer 6.4.4. 

 

1) Download the Outbreak_Alerts_FortiOS_SSLVPN-Vulnerability.zip file (contains 2 files)

 

2) Unzip Outbreak_Alerts_FortiOS_SSLVPN-Vulnerability.zip

 

3) Use Outbreak_Alerts_SSLVPN-Vulnerability_Detection.json to import into Event Handlers

     a. Choose an ADOM (if ADOMs are enabled)

     b. Choose the FortiSOC module

     c. Select Event Handler List

     d. Select the Import option under "More"

     e. Select Outbreak_Alerts_SSLVPN-Vulnerability_Detection.json

 

 

Result: Outbreak_Alerts_SSLVPN-Vulnerability_Detection.json is enabled and will be triggered if the appropriate logs are received after the event handler was imported

 

4) Use Outbreak_Alerts_FOS-Vulnerabilities_Report.dat to import into Reports

    a. Choose a Fabric ADOM (if ADOMs are enabled)

    b. Choose the Report module

    c. Select the Import option under "More"

    d. Select Outbreak_Alerts_FOS-Vulnerabilities_Report.dat

 

 

Result: ‘Outbreak_Alerts_FOS-Vulnerabilities_Report' can be run anytime as determined by an admin user.

Related document.
https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-forti...



Contributors