As I am sure many of you have already seen the FBI-CISA Joint Advisory on Exploitation of Fortinet FortiOS Vulnerabilities some of you may have wondered about this, have questions, or are not clear on the implications of this advisory.
It's my goal to help dispel some of those questions in this post.
Note: this post is not an official statement from Fortinet, it doesn't claim to be, and should not be held as such. This is just some madman rambling off his opinion of things.
Let's start with the vulnerabilities:
CVE-2018-13379 (FG-IR-18-384) - FortiOS System File leak through SSL VPN
Description: A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specifically crafted HTTP resource request
This one is an interesting one, included a few pretty serious vulnerabilities.
This was disclosed and a fix provided in May of 2019 - First Round of news (fixed in 5.4.13, 5.6.9, and 6.0.5 - non existent in 6.2 or 6.4)
This CVE was also featured at Black Hat later in August of 2019 - Second round of news
CVE-2019-5591 (FG-IR-19-037) - FortiGate default configuration does not verify the LDAP server identity
Description: A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server
Basically that unencrypted LDAP doesn't validate the identity of the server, this is a function of LDAPs
Not sure I'd call this a FortiOS vulnerability, but an inherent vulnerability within LDAP itself - you know, clear text and all
This was disclosed and the default configuration for it fixed in July of 2019
CVE-2020-12812 (FG-IR-19-283) - FortiOS SSL VPN 2FA bypass by changing username case
Description: An improper authentication vulnerability in SSL VPN in FortiOS may result in a user being able to log in successfully without being prompted for a second factor of authentication if they changed the case of their username
This was disclosed and fix provided in July of 2020
This happens when a local user is defined with the authentication type is set to a remote server/method (i.e. LDAP)
At the risk of sounding more like Captain Obvious this is probably an oversight as LDAP for example is case insensitive when it comes to usernames, yet the onboard FortiToken username attribute (the one that ties it to the user) is case sensitive
At the time of the statement by the FBI and CISA, all of these CVEs are at least 6 months old, and fixes provided by Fortinet for at least that long (We're coming on 2 years for CVE-2018-13379). It's my opinion that the FBI and CISA felt that there were enough unpatched/un-remedied FortiGates out there, and the above vulnerabilities being actively exploited that a statement was necessary for subsequent Federal, State and Local agencies using these technologies to get their act together and apply updates.
I will also share my personal strategy as to when to update, and what version to update to:
Release notes: Read them - Why? CLI Changes, UI changes, things that impact your day to day. Known and Resolved issues, things that can really mess up your day to day
Version number: is it a .0? Yes? Don't upgrade in production (This applies to all vendors)
Get a lab system (VM, Physical, whatever), try to mimic as much of your production as possible
Are there known issues that may impact you? Evaluate these and upgrade accordingly
Is there a Security Vulnerability fix included? Upgrade
Is there a bug fix you need? Upgrade
Is there a feature you need? And you've evaluated the known issues? You comfortable with them? If yes then upgrade
Conclusion)
Every vendor has vulnerabilities, how you handle them is key. Fortinet has made their PSIRT Policy public.
The vulnerabilities the FBI-CISA announced have been fixed a long time ago
Most exploits and breaches take advantage of known vulnerabilities, zero days are rare
Ensure you have a patch/update management plan in place to avoid being caught off guard
Thank you for reading, I hope this is helpful.