• Matt Sherif

Let's Talk about Security: Recent FBI-CISA Joint statement

Updated: Apr 7

As I am sure many of you have already seen the FBI-CISA Joint Advisory on Exploitation of Fortinet FortiOS Vulnerabilities some of you may have wondered about this, have questions, or are not clear on the implications of this advisory.


It's my goal to help dispel some of those questions in this post.


Note: this post is not an official statement from Fortinet, it doesn't claim to be, and should not be held as such. This is just some madman rambling off his opinion of things.


Let's start with the vulnerabilities:


  • CVE-2018-13379 (FG-IR-18-384) - FortiOS System File leak through SSL VPN

  • Description: A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specifically crafted HTTP resource request

  • This one is an interesting one, included a few pretty serious vulnerabilities.

  • This was disclosed and a fix provided in May of 2019 - First Round of news (fixed in 5.4.13, 5.6.9, and 6.0.5 - non existent in 6.2 or 6.4)

  • This CVE was also featured at Black Hat later in August of 2019 - Second round of news

  • News articles like this one posted around November of 2020 shared yet another round of news

  • It's important to note, there was no data leak - this was all a result of the CVE being disclosed, and a large number of devices remaining unpatched

  • Fortinet released an official statement here

  • CVE-2019-5591 (FG-IR-19-037) - FortiGate default configuration does not verify the LDAP server identity

  • Description: A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server

  • Basically that unencrypted LDAP doesn't validate the identity of the server, this is a function of LDAPs

  • Not sure I'd call this a FortiOS vulnerability, but an inherent vulnerability within LDAP itself - you know, clear text and all

  • This was disclosed and the default configuration for it fixed in July of 2019

  • CVE-2020-12812 (FG-IR-19-283) - FortiOS SSL VPN 2FA bypass by changing username case

  • Description: An improper authentication vulnerability in SSL VPN in FortiOS may result in a user being able to log in successfully without being prompted for a second factor of authentication if they changed the case of their username

  • This was disclosed and fix provided in July of 2020

  • This happens when a local user is defined with the authentication type is set to a remote server/method (i.e. LDAP)

  • At the risk of sounding more like Captain Obvious this is probably an oversight as LDAP for example is case insensitive when it comes to usernames, yet the onboard FortiToken username attribute (the one that ties it to the user) is case sensitive

At the time of the statement by the FBI and CISA, all of these CVEs are at least 6 months old, and fixes provided by Fortinet for at least that long (We're coming on 2 years for CVE-2018-13379). It's my opinion that the FBI and CISA felt that there were enough unpatched/un-remedied FortiGates out there, and the above vulnerabilities being actively exploited that a statement was necessary for subsequent Federal, State and Local agencies using these technologies to get their act together and apply updates.


I will also share my personal strategy as to when to update, and what version to update to:


  1. Release notes: Read them - Why? CLI Changes, UI changes, things that impact your day to day. Known and Resolved issues, things that can really mess up your day to day

  2. Version number: is it a .0? Yes? Don't upgrade in production (This applies to all vendors)

  3. Get a lab system (VM, Physical, whatever), try to mimic as much of your production as possible

  4. Are there known issues that may impact you? Evaluate these and upgrade accordingly

  5. Is there a Security Vulnerability fix included? Upgrade

  6. Is there a bug fix you need? Upgrade

  7. Is there a feature you need? And you've evaluated the known issues? You comfortable with them? If yes then upgrade


Conclusion)


  • Every vendor has vulnerabilities, how you handle them is key. Fortinet has made their PSIRT Policy public.

  • The vulnerabilities the FBI-CISA announced have been fixed a long time ago

  • Most exploits and breaches take advantage of known vulnerabilities, zero days are rare

  • Ensure you have a patch/update management plan in place to avoid being caught off guard

Thank you for reading, I hope this is helpful.

443 views