Fortinet devices running SSL VPN with local authentication for users, running the following versions:
- FortiOS 6.0.0 to 6.0.4
- FortiOS 5.6.3 to 5.6.7
- FortiOS 5.4.6 to 5.4.12
What this means
If you have affected devices that have not been patched, or only been patched recently, then it’s likely your SSL VPN credentials have been compromised.
What to look for
How to tell if you're affected
Check your Fortinet device logs for requests to the following URL or similar, which may indicate SSL VPN credentials being compromised. Please note, you will need to remove the spaces following the /.. sections when copying or using the text below.
/remote/fgt_lang?lang=/.. /.. /.. /.. //////////dev/cmdb/sslvpn_websession
Also check the access logs for the SSL VPN service for any unexpected or unusual connections, which may indicate use of the compromised credentials to access to VPN.
What to do
Patch your Fortinet devices. Once patched, change the passwords of any local SSL VPN users.
VPN services should be configured to use MFA, which would protect against stolen credentials being used to access the VPN.
Fortinet security advisory can be found on their website External Link
This advisory follows on from our 2019 alert about VPN vulnerabilities:
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at email@example.com or call the MBIE media team on 027 442 2141.