Active Exploitation of Fortinet Vulnerabilities

Published on 06 Apr 2021

Updated on 14 Apr 2021

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have released a Joint Cybersecurity Advisory to warn that advanced persistent threat (APT) actors are actively exploiting known Fortinet FortiOS vulnerabilities.

Successful exploitation of the vulnerabilities could allow an attacker to take control of the affected systems and gain a foothold inside the targeted networks to conduct further malicious activities.

These vulnerabilities are:

  • CVE-2018-13379: A path traversal vulnerability in the FortiOS Secure Sockets Layer (SSL) Virtual Private Network (VPN) web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted Hypertext Transfer Protocol (HTTP) resource requests.
  • CVE-2019-5591: Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the Lightweight Directory Access Protocol (LDAP) server.
  • CVE-2020-12812: An improper authentication vulnerability in SSL VPN in FortiOS may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.
Administrators and users of the affected products are advised to upgrade to the latest firmware immediately.

More information is available here:
https://www.ic3.gov/Media/News/2021/210402.pdf
https://www.fortiguard.com/psirt/FG-IR-18-384
https://www.fortiguard.com/psirt/FG-IR-19-037
https://www.fortiguard.com/psirt/FG-IR-19-283