Fortinet has warned that 87,000 sets of credentials for FortiGate SSL VPN devices have been published online.
The California-based cybersecurity firm said on Wednesday that it is aware of the disclosure, and after investigating the incident, has come to the conclusion that the credentials have been obtained by exploiting CVE-2018-13379.
CVE-2018-13379 is a known security flaw impacting the FortiOS SSL VPN web tunnel software’s portal. The bug was patched and a fix was released in 2019, including two-factor authentication mitigation. However, close to two years on, the vulnerability has now come back to the fore with the release of stolen credentials online.
Fortinet says that the stolen information was “obtained from systems that remained unpatched” at the time an attacker performed a web scan for vulnerable devices.
If passwords for FortiOS SSL VPN builds have not been changed since this scan, Fortinet says they remain vulnerable to compromise. Furthermore, as FortiOS SSL VPN is popular with enterprise users, this could become an avenue for network attacks.
“Please note that a password reset following upgrade is critical to protecting against this vulnerability, in case credentials have already been compromised,” the company says.
CVE-2018-13379 was reported by Meh Chang and Orange Tsai from DEVCORE. Described as a path traversal flaw, the bug permits unauthenticated attackers to download system files through special crafted HTTP resource requests. The critical vulnerability was awarded a CVSS score of 9.8.
FortiOS 6.0 – 6.0.0 to 6.0.4, FortiOS 5.6 – 5.6.3 to 5.6.7, and FortiOS 5.4 – 5.4.6 to 5.4.12 are impacted by the bug and are vulnerable when the SSL VPN service has been enabled.
As noted by AdvIntel, that the dump was posted by the Groove ransomware group on their leak site. The threat actors said, ‘everything checked as valid,’ (Russian, translated) but this has not been verified.
The company has previously warned customers that this vulnerability is being weaponized by hacking groups in the wild (1,2). In June, the FBI issued an advisory (.PDF) stating that CVE-2018-13379 had been successfully used to infiltrate a webserver hosting a US municipal government domain.
“Since these vulnerabilities were first discovered, Fortinet has taken exhaustive steps to notify and educate customers, urging them repeatedly to upgrade their affected systems to the latest patch release,” the company said in June. “It’s a scenario software and firmware developers know all too well. Fortinet and organizations like the NCSC, FBI, and CISA have issued 15 separate notifications and advisories to Fortinet customers over the past two years, warning them of the risks of failing to update affected systems and providing links to critical patches.”
If users suspect they may have been involved in the breach due to a failure to refresh their credentials, the tech giant recommends that VPN services are temporarily disabled while organizations perform password resets.
Fortinet is also urging customers to upgrade to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above, which contain the necessary security fixes.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0