Vulnerability in Fortinet’s legacy Fortigate VPN systems exposes close to 50,000 credentials

Fortinet said on Monday that in the last 60 days it has become aware that threat actors were scanning the internet for unpatched devices and sent out “another, even more tailored email notification directly to the 50K+ customers,” who have been identified as running impacted firmware.

The recent focus on Fortinet’s FortiGate VPN systems came after disclosure by a hacker that a list of 50,000 credentials was available online following an exploit of the CVE-2018-13379 vulnerability. The National Vulnerability Database (NVD) has also modified on its site the security detail for the vulnerability, as it awaits reanalysis of the weakness.

Fortinet advises users to upgrade to FortiOS 5.4.13, 5.6.11, 6.0.6, 6.2.2, while FortiGuard Labs released patches for the CVE-2018-13379 vulnerability.

The CVE-2018-13379 vulnerability has been described as an improper limitation of a pathname to a restricted directory (Path Traversal) in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12 under SSL VPN web portal that allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.

“Since the original PSIRT Advisory, we have put several processes and best practices in place to prevent reoccurrence,” wrote Carl Windsor, a Fortinet executive, in a company blog post. “However, after over 18 months, over 7 different Fortinet notifications, and news outlets and government organizations also calling out the prospects of risk, there are still a large number of devices that remain unpatched and it has been reported that their IP addresses are being sold.”

Bank Security made public on its Twitter handle on Nov. 19 that a threat actor using the name “pumpedkicks” made public a list consisting of 49,577 IPs found vulnerable to Fortinet SSL VPN CVE-2018-13379, and claimed to have clear text credentials associated with these IPs.

Subsequently, Bank Security announced in another Twitter message that it looked into the nslookup on all IPs, and found that among the victims there are some banks, many .gov domains and thousands of companies around the world. The nslookup is a network administration command-line tool found in computer operating systems that helps in querying the Domain Name System (DNS) to obtain domain name or IP address mapping or other DNS records.

Following a disclosure, Bank Security said in a subsequent Twitter message on Nov. 25 that another threat actor using the name “arendee2018” shared the plaintext credentials related to the same Fortinet Vulnerable IPs list, and that these credentials were spreading on various forums and chats. The data set posted on the forum is said to be the most ‘complete achieve containing all exploit links and sslvpn_websession files, not available anywhere else, 6.7GB uncompressed,’ according to the screenshot available.

Fortinet announced in its blog certain measures that aim to improve customer protection and communication efforts in its attempt to adopt a more proactive risk management and mitigation process when it comes to dealing with potential security vulnerabilities.

The company will now release monthly vulnerability advisories on the first Tuesday of each month, starting Dec.1, to provide updates that focus on infrastructure patching. Apart from the monthly notifications from the PSIRT team and incorporating those factors into the security rating, a high or critical severity issue requiring an upgrade will also be flagged in the potentially affected device GUI with a link to the FortiGuard advisory.

Also, when a Fortinet device checks in with FortiGuard for its latest security updates, it communicates with the running firmware for support purposes. This will be used to report on the security level of all Fortinet devices in the FortiCare support account. To further aid critical infrastructure providers in their choice of firmware and simplify the process of upgrading, Fortinet will label stability releases and provide support for selected firmware to remove some of the perceived challenges delaying customers from performing upgrades.

Fortinet had revealed in its semiannual FortiGuard Labs Global Threat Landscape Report in August that cybercriminals and nation-state actors used the COVID-19 pandemic as an opportunity to plan a variety of cyberattacks around the world. The flexibility of the adversaries enabled waves of attacks targeting the fear and uncertainty of the prevailing situation, apart from the increased number of remote workers outside the corporate network.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.