IP addresses published for over 49,000 exploitable Fortinet SSL VPNs

[German]A security researcher discovered a list of IP addresses that a hacker published in order to steal VPN access data from over 49,000 Fortinet VPN devices. The accesses are vulnerable to attack via a vulnerability that has long been closed. The list of vulnerable targets includes domains of major banks and government organizations from around the world.


The vulnerability CVE-2018-13379

Unpatched Fortinet VPN devices are vulnerable to single-line exploits via a vulnerability that has been in place since 2018. The exploits target the path traversal vulnerability CVE-2018-13379, which has an NVD score of 9.8 (out of 10). The ("Path Traversal" vulnerability occurs due to improper restriction of a pathname to a directory in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12. It allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests through the SSL VPN web portal.

PacketStorm-Security has written something about it here. At the beginning of May 2019 Fortinet published this PSIRT Advisory and released updates for the affected FortOS versions. So the vulnerability could have been patched long ago. But in February 2020 I reported in the German blog post Sicherheitssplitter (21. Feb. 2020) that Iranian hackers leave backdoors in VPN servers. They exploit various vulnerabilities, including Fortinet (CVE-2018-13379) – see also this English tweet.

Hacker posts IP list auf exploitable VPNs

Although the vulnerability may have been patched long ago, many Fortinet VPN accesses still seem to be running vulnerable FortiOS versions. Bleeping Computer catched the following tweet from a security expert with the alias Bank_Security attracted attention. 

Warning: Exploit for Fortinet VPNs
Exploit warning about vulnerable Fortinet VPNs

The hacker named pumpedkicks has published a list of the IP addresses of 48,577 Fortinet SSL VPN access points vulnerable to attack via the CVE-2018-13379 vulnerability. He then examined the list of these IP addresses and determined that SSL VPN accesses from government departments around the world are among the vulnerable targets. But there are also well-known banks and financial institutions that have not patched their Fortinet SSL VPN accesses.


Vulnerable Fortinet SSL VPNs
Vulnerable VPNs

The analyst told BleepingComputer:

"This is an old, well known and easily exploited vulnerability. Attackers already use it for a long time. Unfortunately, companies have a very slow patching process or an uncontrolled perimeter of exposure on the internet, and for this reason, attackers are able to exploit these flaws to compromise companies in all sectors with relative simplicity."

Bleeping Computer reported last month that the same vulnerability was exploited by the attackers to break into the U.S. government's election assistance systems. Are your Fortinet SSL VPN accesses patched for this vulnerability?

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *