Vulnerability in Fortinet firewalls being exploited
Vulnerability CVE-2018-13379 - published in 2019 - has been exploited to access sensitive information from vulnerable devices running Fortinet’s FortiOS software.
This allows an attacker to steal plain text SSL VPN credentials, which can be used to log in to the SSL VPN. A list of credentials obtained from vulnerable services has been publicly posted. The list includes any local users that were logged in to the VPN at the time of collection.
Fortinet devices running SSL VPN with local authentication for users, running the following versions:
- FortiOS 6.0.0 to 6.0.4
- FortiOS 5.6.3 to 5.6.7
- FortiOS 5.4.6 to 5.4.12
What this means
If you have affected devices that have not been patched, or only been patched recently, then it’s likely your SSL VPN credentials have been compromised.
What to look for
How to tell if you're affected
Check your Fortinet device logs for requests to the following URL or similar, which may indicate SSL VPN credentials being compromised. Please note, you will need to remove the spaces following the /.. sections when copying or using the text below.
/remote/fgt_lang?lang=/.. /.. /.. /.. //////////dev/cmdb/sslvpn_websession
Also check the access logs for the SSL VPN service for any unexpected or unusual connections, which may indicate use of the compromised credentials to access to VPN.
What to do
Patch your Fortinet devices. Once patched, change the passwords of any local SSL VPN users.
VPN services should be configured to use MFA, which would protect against stolen credentials being used to access the VPN.
Fortinet security advisory can be found on their website External Link
This advisory follows on from our 2019 alert about VPN vulnerabilities:
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at email@example.com or call the MBIE media team on 027 442 2141.