Advisories

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates above to be notified as soon as we publish an advisory.

3:45pm, 1 December 2020

TLP Rating: White

What's happening

Systems affected

Fortinet devices running SSL VPN with local authentication for users, running the following versions:

  • FortiOS 6.0.0 to 6.0.4
  • FortiOS 5.6.3 to 5.6.7
  • FortiOS 5.4.6 to 5.4.12

What this means

If you have affected devices that have not been patched, or only been patched recently, then it’s likely your SSL VPN credentials have been compromised.

What to look for

How to tell if you're affected

Check your Fortinet device logs for requests to the following URL or similar, which may indicate SSL VPN credentials being compromised. Please note, you will need to remove the spaces following the /.. sections when copying or using the text below. 

/remote/fgt_lang?lang=/.. /.. /.. /.. //////////dev/cmdb/sslvpn_websession

Also check the access logs for the SSL VPN service for any unexpected or unusual connections, which may indicate use of the compromised credentials to access to VPN.

What to do

Prevention

Patch your Fortinet devices. Once patched, change the passwords of any local SSL VPN users.

Mitigation

VPN services should be configured to use MFA, which would protect against stolen credentials being used to access the VPN.

More information

Fortinet security advisory can be found on their website External Link

This advisory follows on from our 2019 alert about VPN vulnerabilities:

Virtual private network (VPN) vulnerabilities being exploited

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ

For media enquiries, email our media desk at media@mbie.govt.nz or call the MBIE media team on 027 442 2141.