Threat Watch

Attackers Expose Vulnerable Fortinet VPN Devices

An attacker has posted a list of one-line exploits to steal credentials of nearly 50,000 unpatched Fortinet VPN devices that are accessible from the Internet. Included in the list are vulnerable devices on domains that belong to high street banks and government agencies from around the world. The vulnerability, tracked as CVE-2018-13379, is a path traversal flaw that impacts a large number of unpatched Fortinet FortiOS SSL VPN devices. Although the flaw was disclosed over a year ago, researchers have spotted around 50,000 targets that have not been patched and are still vulnerable. The exploit posted by the attacker allows attackers access to the sslvpn_websession files from Fortinet VPNs to steal login credentials. By exploiting this flaw, unauthenticated remote attackers can access system files through specially crafted HTTP requests. Researchers from BleepingComputer have found over four dozen domains in the list that belong to reputable banking, finance, and governmental institutions.

ANALYST NOTES

According to an analyst at BleepingComputer, this particular exploit and other older exploits are still in play due to some organization’s slow patching process. Organizations are highly recommended to apply security patches as soon as they become available and to prioritize the patching of any system directly connected to the Internet with a publicly routable IP address, as well as any internal system that would allow an attacker to escalate their privileges to an administrator. Doing so will ensure that the latest security information from the program’s author is installed. If an organization is using Fortinet VPN, they should go to the website of Fortinet and download the patch immediately. It is also recommended, when looking for security patches, to only download them from the original company’s site—third party patches could potentially contain hidden malware or other nefarious code. After applying a patch, it is important to review the device’s log files to determine whether it was exploited before the patch was applied. If it was compromised or if the logs are insufficient to be sure, changing any passwords that might have been exposed is crucial to prevent attackers from returning later by using previously-stolen passwords.

Source Article: https://www.bleepingcomputer.com/news/security/hacker-posts-exploits-for-over-49-000-vulnerable-fortinet-vpns/