The FBI and the Infrastructure and Cyber Security Agency said that advanced hackers are likely to be exploiting critical vulnerabilities in the Fortinet FortiOS VPN in an attempt to plant a bridgehead to breach midsize and large companies in subsequent attacks.
“APT actors can use these vulnerabilities or other common exploitation techniques to gain initial access to various government, commercial and technology services,” the agencies said on Friday in a joint statement. “Getting initial access pre-positions APT actors to conduct future attacks.” APT is short for advanced persistent threat, a term used to describe well-organized and well-funded hacker groups, many of them supported by nation-states.
Breaking the speck
Fortinet FortiOS SSL VPNs are used primarily in border firewalls, which isolate sensitive internal networks from the public Internet. Two of the three vulnerabilities already fixed listed in the statement – CVE-2018-13379 and CVE-2020-12812 – are particularly serious because they allow unauthenticated hackers to steal credentials and connect to VPNs that have not yet been updated.
“If VPN credentials are also shared with other internal services (for example, if they are Active Directory, LDAP or similar single sign-on credentials), the attacker immediately gains access to those services with the privileges of the user whose credentials have been stolen,” he said James Renken, website reliability engineer at the Internet Security Research Group. Renken is one of two people who discovered a third FortiOS vulnerability – CVE-2019-5591 – that Friday’s statement said was probably also being exploited. “The attacker can then exploit the network, try to exploit various internal services, etc.”
One of the most serious security bugs – CVE-2018-13379 – was found and released by researchers Orange Tsai and Meh Chang, from the security company Devcore. Slides from a lecture that the researchers gave at the Black Hat Security Conference in 2019 describe it as an “arbitrary pre-authentication file reading”, which means that it allows the explorer to read password databases or other files of interest.
Meanwhile, security company Tenable said that CVE-2020-12812 could result in an explorer that bypasses two-factor authentication and successfully connects.
In an emailed statement, Fortinet said:
The safety of our customers is our first priority. CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a PSIRT Advice and communicated directly with customers and through corporate blog posts on several occasions in August 2019 and July 2020 strongly recommending an update. After the resolution, we have been communicating consistently with customers until 2020. CVE-2019-5591 was resolved in July 2019 and CVE-2020-12812 was resolved in July 2020. For more information, visit our blog and immediately refer to the May 2019 notice. If customers have not done so, we recommend that they immediately implement the update and mitigations.
The FBI and CISA did not provide details about the APT mentioned in the joint statement. The statement also avoids that there is a “likelihood” that the threat actors will actively exploit the vulnerabilities.
Fixing the vulnerabilities requires IT administrators to make configuration changes, and unless an organization is using a network with more than one VPN device, there will be downtime. Although these barriers are often difficult in environments that need VPNs available 24 hours a day, the risk of compromising ransomware or espionage is significantly greater.