Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2407 FortiOS SSL VPN 2FA bypass by changing username case 16 July 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: FortiOS Publisher: Fortiguard Operating System: Network Appliance Impact/Access: Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-12812 Original Bulletin: https://fortiguard.com/psirt/FG-IR-19-283 - --------------------------BEGIN INCLUDED TEXT-------------------- FortiOS SSL VPN 2FA bypass by changing username case IR Number : FG-IR-19-283 Date : Jul 13, 2020 Risk : 3/5 Impact : Operational Risk, Improper Authentication CVE ID : CVE-2020-12812 CVE ID : CVE-2020-12812 CVE ID : CVE-2020-12812 Summary An improper authentication vulnerability in SSL VPN in FortiOS may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username. This happens when two-factor authentication is enabled in the "user local" setting, and that user authentication type is set to a remote authentication method (eg: ldap). The issue exists because of inconsistent case sensitive matching among the local and remote authentication. A new CLI attribute called "username-case-sensitivity" was added in "user local" CLI settings, and is now available when remote and two-factor authentication are both enabled: config user local edit [name] set type ldap /* ldap as remote authentication */ set two-factor fortitoken /* fortitoken as 2FA auth method */ set username-case-sensitivity enable*|disable /* newly added, set to 'enable' by default */ next username-case-sensitivity is enabled by default; this is consistent with the default behavior on previous versions (local and remote username case must match). To avoid the second factor of authentication bypass issue, administrators must manually disable username-case-sensitivity. Impact Operational Risk, Improper Authentication Affected Products FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below Solutions Upgrade to the following FortiOS version: 6.4.1 or later 6.2.4 or later 6.0.10 or later References o https://kb.fortinet.com/kb/documentLink.do?externalID=FD37033 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXw+FFuNLKJtyKPYoAQgFtg/8C+rBDbenIlAehgxGjseEEEtuzyZXE9w9 dSw4x1PXkmeWemHuKjfSzoonEWQ9CJKBSfknUfXL5gia63qczS5wflSIv6sxQnCq FplOsLSOHfoyLC5dPc4EWCiBnmptHml9yT3zUGf0kTJymQkV3NDz/93L03MYxpJd 9xRgewnZtX1n3b0VufS6vnD/csACAzkzsXIgpfWo0uHiT9XQo1AwuYnr/Xgw218p YmewVTdEuRzLCfn+f/JxB4yz3Zc6dc/haYJfgSv9YA0025/w8Cf4nevspmGfY5NU UE6EpEFSjol2hhdt2N2zTFND+4aOWUdweRNsRqwvOxc4NBt7d+rd0zeg2RdskWbP vPmJFsrwlOGhf6HrG3hqOJLi2GvaZA7YwJV+Yalf1emBJcfoe/6vQlzo4AMv5Wjq /IEpVbPcyyGrvdg/Nk3PCfcEjrLE6Jx5/Nw2EB9RMsxqg8n6GlJF+Xb43UxQKCVB ykDrX7ScGngiOQsOQeXqEqRHfxAj4ff2H2PnSO+Ej5g4XUWbnCQBOPlVn5WLpvl7 E0ZXmdPhqQUoAQ6I2SCEeQDoRCJLXZ/ejaf5QRBE6hK9je1Au3LZC5bEPW1h9h4z Jh1OdgpYuXLJdBkqxD8/DXtjb96DTwC2DKVKSK2fQkrMbXzFVOjna1K+82LjzrP/ XlMceo0ddlM= =y/d6 -----END PGP SIGNATURE-----