[German]The Cybersecurity and Infrastructure Security Agency (CISA) has raised the alarm about a Fortinet FortiOS vulnerability. The Fortinet products with unpatched Fortinet FortiOS are under targeted attack. And Darknet has a list of credentials for such systems in circulation. Although there are patches for FortOS since May 2019, I have also found vulnerable devices in Germany in a leaked IP list.
Advertising
The US-CERT warning
US-CERT has warned on Twitter about a vulnerability in Fortinet products. US-CERT is urging people to immediately update Fortinet products to close a critical security vulnerability.
Here is the relevant text.
Fortinet FortiOS System File Leak
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of the possible exposure of passwords on Fortinet devices that are vulnerable to CVE 2018-13379. Exploitation of this vulnerability may allow an unauthenticated attacker to access FortiOS system files. Potentially affected devices may be located in the United States.
Furthermore, users are urged to update Fortinet devices immediately, as updates have been available for a long time (see following text). The authority links to a security advisory from Fortinet. I have extracted the required information about the CVE-2018-13379 vulnerability below.
Hackers sell access data
The term 'knowledge of possible password disclosure on Fortinet devices' is due to the fact that hackers on the Internet have not only published IP lists of vulnerable systems (see my blog post IP addresses published for over 49,000 exploitable Fortinet SSL VPNs). I randomly checked the IPs on the list and found devices in Belgium, France, Sweden, Turkey and many in the USA, but also locations in Germany. If you have Fortinet devices in use, you can see if their IP addresses appear in the respective file.
Advertising
But that's not all, because shortly after the leak with the list of IP addresses, a list of access data (user names, passwords, unmasked IP addresses) appeared in an underground forum.
The colleagues from Bleeping Computer had disclosed this in an article last week and point it out in the above tweet. So patching Fortinet devices is no longer enough. Subsequently, the access data should be changed. Administrators should also check whether the devices are already equipped with a backdoor. Bad Packets points this out in the following tweet.
The vulnerability CVE-2018-13379
Unpatched Fortinet VPN devices are vulnerable to single-line exploits via a vulnerability that has been in place since 2018. The exploits target the path traversal vulnerability CVE-2018-13379, which has an NVD score of 9.8 (out of 10). The ("Path Traversal" vulnerability occurs due to improper restriction of a path name to a directory in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12. It allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests through the SSL VPN web portal. PacketStorm-Security has written something about it here. At the beginning of May 2019 Fortinet has published a PSIRT Advisory and released updates for the affected FortOS versions. So the vulnerability could have been patched long ago.
