The FBI and the Cybersecurity and Infrastructure Security Agency said advanced hackers are likely to exploit critical vulnerabilities in the Fortinet FortiOS VPN in an effort to plant a beachhead to breach medium and large businesses in later attacks.
“APT actors can use these vulnerabilities or other commonly used exploitative techniques to gain initial access to multiple government, commercial and technology services,” the agencies said in a joint advisory on Friday. “Getting initial access suggests the APT actors to launch future attacks.” APT is short for Advanced Persistent Threat, a term used to describe well-organized and well-funded hacking groups, many of which are supported by nation-states.
Breaking the Splinter
Fortinet FortiOS SSL VPNs are primarily used in border firewalls, which cut off sensitive internal networks from the public internet. Two of the three already patched vulnerabilities listed in the advisory – CVE-2018-13379 and CVE-2020-12812 – are particularly serious because they allow unauthenticated hackers to steal credentials and connect to VPNs that yet to be updated.
“If the VPN credentials are also shared with other internal services (for example, if it is Active Directory, LDAP, or similar single sign-on credentials), the attacker immediately gains access to those services with the privileges of the user whose credentials were stolen”, says James Renken, a site reliability engineer with the Internet Security Research Group. Renken is one of two people to have discovered a third FortiOS vulnerability – CVE-2019-5591 – which, according to Friday’s advisory, was also likely exploited. “The attacker can then explore the network, run to exploit various internal services, etc.”
One of the most serious security bugs – CVE-2018-13379 – was found and revealed by researchers Orange Tsai and Meh Chang of security firm Devcore. Slides from a talk the researchers gave at the 2019 Black Hat Security Conference describe it as “pre-auth random file reading,” meaning it allows the exploiter to read password databases or other files of interest.
Security firm Tenable, meanwhile, said that CVE-2020-12812 could lead an exploiter to bypass two-factor authentication and log in successfully.
In an emailed statement, Fortinet said:
The safety of our customers is our number one priority. CVE-2018-13379 is an old vulnerability that was fixed in May 2019. Fortinet immediately has a PSIRT Advice and communicated multiple times directly with customers and through corporate blog posts in August 2019 and july 2020 highly recommend an upgrade. After a resolution, we have been communicating with customers consistently until 2020. CVE-2019-5591 was resolved in July 2019 and CVE-2020-12812 was resolved in July 2020. For more information, please visit our blog and immediately refer to the Advice May 2019. If customers have not done so, we urge them to implement the upgrade and the measures immediately.
The FBI and CISA have not provided details about the APT mentioned in the joint opinion. The advisory also caps by saying that there is a “probability” that the threat actors are actively exploiting the vulnerabilities.
Patching the vulnerabilities requires IT administrators to make configuration changes, and unless an organization uses a network with more than one VPN device, there will be downtime. While those barriers are often difficult in environments where VPNs must be available 24 hours a day, the risk of being dragged into a ransomware or spy compromise is significantly higher.