A list of Fortinet VPNs with exploitable vulnerability got published

by Ugnius Kiguolis - - 2020-11-23

Hacker exposed a list of 50 000 Fortinet VPN devices that can be easily exploited

Vulnerability in FortiOS revealed to be unpatched still Flaw from 2018 ca still be used in targeted attacks aimed at 50 000 domains.

The list hacker posted contains a list of online exploits that can work for credential stealing from all of those devices.^[1] Apparently these vulnerabilities were not unpatched for at least a year.^[2] Vulnerable targets on the list include domains of high street banks, government organizations, other companies from various places in the world.

A particular vulnerability is CVE-2018-13379. The flaw can impact numerous unpatched Fortinet FortiOS SSL VPN devices. An attacker can use the flaw and remotely access the system files via HTTP requests that do not require authentication. This is how hackers can steal login credentials to use them later, compromise a network, and spread other threats.^[3]

The particular vulnerability was reported to Fortinet by December 2018 when researchers found this flaw alongside other vulnerabilities.^[4] The patched version of FortiOS was released in May 2019, but the habit of patching flaws late resulted in the list with still vulnerable domains.

Targets – various organizations of finance and notable banks

This vulnerability in question was already disclosed a year ago. However, when researchers spotted almost 50 000 targets still vulnerable to this flaw, another source found a hacker forum with the full list. Threat actors exposed 49 577 devices that can become targets of such an exploit.^[5]

Domains on the list reveal at least four dozen banking, finance, government institutions vulnerable to this flaw. The person that found a list of IPs investigates further to identify those organizations that possibly got or might get impacted:

To better find out which companies were impacted, I launched an nslookup on all the IPs on the list and for many of them, I found the associated domain.

The very slow patching process of the easily exploitable vulnerability

This is not a new bug, but according to analysis and researchers' reports organizations have a tendency to patch such vulnerabilities slowly, so attackers can continue exploitation of such well-known bugs for longer. This flaw is easily exploitable, so such a habit leads to compromised domains of all sectors.

However, it is already noted that a particular flaw was used to break into the US government elections support system. CISA reported back in October, during the election in the United States of America, actors from the APT group used the flaw to target federal and state, local, tribal, territorial government networks, election organizations.

Researchers at the time also talked about the possibility that the CVE-2018-13379 flaw is a particularly dangerous VPN bug that could be used in future attacks. Any bug can be used to target unpatched and internet-connected network devices with such attacks. Additional vulnerabilities that can be used by hackers:

CVE-2019-19781
CVE-2020-15505
CVE-2019-11510
CVE-2020-2021
CVE-2020-5902

Various network administrators and cybersecurity professionals are encouraged to patch this severe vulnerability as soon as possible. Many attacks are showing how these bugs can be used.

About the author

Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions

References

^ Bank Security. Vulnerability reveal. Twitter. Social media platform.
^ Juha Saarinen. Fortinet SSL VPNs published. ITnews. Security and technology news.
^ Catalin Cimpanu. Top exploits used by ransomware gangs are VPN bugs, but RDP still reigns supreme. ZDNet. Technology news.
^ FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests. Fortiguard. Advisory.
^ CVE-2018-13379 Detail. Nvd. Vulnerabilities explained.