Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2021.0179 FortiGate SSL-VPN Credentials Leaked by a Malicious Actor 10 September 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: FortiOS Operating System: Network Appliance Impact/Access: Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-13379 Reference: ESB-2019.1891.3 OVERVIEW Fortinet have announced that "a malicious actor has recently disclosed SSL-VPN access information to 87,000 FortiGate SSL-VPN devices." [1] This has made the rounds via various publications over the last few days and the leaked credential data is available in the wild. [2][3][4] IMPACT Fortinet advise that credentials were obtained by exploiting FG-IR-18-384 / CVE-2018-13379 which was resolved in May 2019. [1] This vulnerability allowed "an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests." [5][6] If at any time the following FortiOS products were running it is possible that credentials were compromised: FortiOS 6.0 - 6.0.0 to 6.0.4 FortiOS 5.6 - 5.6.3 to 5.6.7 FortiOS 5.4 - 5.4.6 to 5.4.12 [1][5] ACSC state "It is unknown exactly when the suspected exploitation activity occurred for each identified FortiNet device in the list." [4] Multiple blogs have been published by Fortinet since the initial vulnerability disclosure encouraging customers to upgrade their devices. A blog from 16/7/2020 mentioned that the vulnerability was being targeted by ATP 29. [7][8][9][10] MITIGATION Fortinet recommends taking the following remediation steps: "1 Disable all VPNs until the following remediation steps have been taken. 2 Immediately upgrade affected devices to the latest available release, as detailed below. 3 Treat all credentials as potentially compromised by performing an organization-wide password reset. 4 Implement multi-factor authentication, which will help mitigate the abuse of any compromised credentials, both now and in the future. 5 Notify users to explain the reason for the password reset and monitor services such as HIBP for your domain. There is the potential that if passwords have been reused for other accounts, they could be used in credential stuffing attacks." [1] Fortinet advise that if at any time a vulnerable version of FortiOS was running that the recommended password reset is performed: "Fortinet is reiterating that, if at any time your organization was running any of the affected versions listed below, even if you have upgraded your devices, you must also perform the recommended user password reset following upgrade, as per the customer support bulletin and other advisory information. Otherwise, you may remain vulnerable post-upgrade if your users' credentials were previously compromised." [1] REFERENCES [1] Malicious Actor Discloses FortiGate SSL-VPN Credentials https://www.fortinet.com/blog/psirt-blogs/malicious-actor-discloses-fortigate-ssl-vpn-credentials [2] Hackers Leak VPN Account Passwords From 87,000 Fortinet FortiGate Devices https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html [3] Hackers leak passwords for 500,000 Fortinet VPN accounts https://www.bleepingcomputer.com/news/security/hackers-leak-passwords-for-500-000-fortinet-vpn-accounts/ [4] Suspected user credentials stolen from FortiNet devices leaked online https://www.cyber.gov.au/acsc/view-all-content/alerts/suspected-user-credentials-stolen-fortinet-devices-leaked-online [5] FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests https://www.fortiguard.com/psirt/FG-IR-18-384 [6] UPDATE Fortigate SSL VPN: Multiple vulnerabilities https://www.auscert.org.au/bulletins/ESB-2019.1891.3 [7] FortiOS and SSL Vulnerabilities https://www.fortinet.com/blog/psirt-blogs/fortios-ssl-vulnerability?utm_source=blog&utm_campaign=fortios-ssl-vulnerability [8] ATP 29 Targeting SSL VPN Flaws https://www.fortinet.com/blog/psirt-blogs/atp-29-targets-ssl-vpn-flaws?utm_source=blog&utm_campaign=atp-29-targets-ssl-vpn-flaws [9] Patch and Vulnerability Management https://www.fortinet.com/blog/psirt-blogs/patch-vulnerability-management?utm_source=blog&utm_campaign=patch-vulnerability-management [10] Prioritizing Patching is Essential for Network Integrity https://www.fortinet.com/blog/psirt-blogs/prioritizing-patching-is-essential-for-network-integrity AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYTrlXuNLKJtyKPYoAQjbLRAAjqAqgmg1Gy9D61D87jbLOLQeAwSztn0G MggMeLqy8gEVc6U0T1F6uOj3YPF11ofE+YEc2yH7NdqpuWRRo24FTblg/T+IDZlX WRMyJykgLI12D/Cd/QElqc/FK4g5EUxZs+HqaeaiW1SLV0vi0uYL9nq16JOKgIKe hG2D4zzG1lbMwGP6u03As1o0RU51ffP/l81XfI9+v+fPGZb+pqhdPqrw14FvfyeX I3/m9OZpruy2B8T8mgaApdwGqpLiB5bbg3bcIUTNC7P9h61VLUtu3ByNzvYiV3Vz BIpnO6BANg5kmjbV1z7gX8yvlHA9/7syMZ5yr/9ll/ToJZr6t5slPobm5mvXZAeZ WpGmsiCx9Lg6ljEhIqjQoUfnKsxDNzov/9Ti3/1Z9TItyukQHKTXg/4x1FEp0TUS 5z0nNQ6j2kogxkvPTQz/oJzzU7K8tfcjOiNTe4s7cZ1klbdqbn7DqF117ecI+Q/o pF44PzymOE/jvW8nY0nYQ9dgRwNPJ7vVRpB0MG6aeYUQazmAw/X079t36FOpOqdr RGmTAi3NKjaUtl/t+HYIpcBcm1VMjabsApqi2lsuy7z0XvFmIamCqN0w4ZI0IVdZ CBoh31VjCnB8xwCtC/OKZotUHUhKycti2xKz5wsO46te+rPyZ6Iv9Kme4k23FIGi orbcIeu/pPw= =ogI7 -----END PGP SIGNATURE-----