Advisories
Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.
Subscribe to our updates above to be notified as soon as we publish an advisory.
3:45pm, 1 December 2020
TLP Rating:
What's happening
Systems affected
Fortinet devices running SSL VPN with local authentication for users, running the following versions:
- FortiOS 6.0.0 to 6.0.4
- FortiOS 5.6.3 to 5.6.7
- FortiOS 5.4.6 to 5.4.12
What this means
If you have affected devices that have not been patched, or only been patched recently, then it’s likely your SSL VPN credentials have been compromised.
What to look for
How to tell if you're affected
Check your Fortinet device logs for requests to the following URL or similar, which may indicate SSL VPN credentials being compromised. Please note, you will need to remove the spaces following the /.. sections when copying or using the text below.
/remote/fgt_lang?lang=/.. /.. /.. /.. //////////dev/cmdb/sslvpn_websession
Also check the access logs for the SSL VPN service for any unexpected or unusual connections, which may indicate use of the compromised credentials to access to VPN.
What to do
Prevention
Patch your Fortinet devices. Once patched, change the passwords of any local SSL VPN users.
Mitigation
VPN services should be configured to use MFA, which would protect against stolen credentials being used to access the VPN.
More information
Fortinet security advisory can be found on their website External Link
This advisory follows on from our 2019 alert about VPN vulnerabilities:
Virtual private network (VPN) vulnerabilities being exploited
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at media@mbie.govt.nz or call the MBIE media team on 027 442 2141.