A compilation of one-line exploit tracked as CVE-2018-13379 and that could be used to steal VPN credentials from nearly 50.000 Fortinet VPN devices has posted online.
This vulnerability resides in an improper limitation of a pathname to a restricted directory (“Path Traversal”) in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests. According to NIST NVD, the flaw has a CVSS base score of 9.8 – CRITICAL.
The compilation contains 49,577 IP addresses vulnerable to Fortinet SSL VPN CVE-2018-13379, according to Bank Security, who first noticed the leak on Twitter.
After a nslookup on all IPs, I found that among the victims there are some Banks, many .gov domains and thousands of companies around the world. https://t.co/F4o9xzjGJ4
— Bank Security (@Bank_Security) November 20, 2020
In detail, the exploitation of the critical Fortinet vulnerability puts the attacker in a privileged place, with access to the sensitive “sslvpn_websession” files from Fortinet VPNs.
After analyzing the leaked data, we noticed the list of vulnerable targets includes domains belonging to large enterprises, financial institutions, and government organizations from all over the world. In order to understand the volume and impact of this threat, we organized all the data on a geographic map presented below.
Geomap of impacted countries
As observed, the USA is the most impacted country, with a total of 10.103 vulnerable devices shared in this leak. China, Japan, Korea, Brazil, Germany, United Kingdom, Spain, Italy, and France are part of the TOP 10 most impacted countries. Also, Portugal can be found in this list, with 136 devices vulnerable. Next, the complete list of this analysis is presented.
Complete list of affected countries
10103 United States 6336 China 2821 Japan 2543 Korea 2280 Brazil 2212 Germany 2127 United Kingdom 1547 Spain 1370 Italy 1294 France 1096 Australia 981 Russian Federation 847 Netherlands 761 Argentina 688 Taiwan 648 Canada 575 Egypt 569 Colombia 520 South Africa 444 India 424 Poland 400 Sweden 397 Indonesia 384 Denmark 374 Mexico 367 Switzerland 364 Turkey 353 Chile 344 Viet Nam 325 Venezuela 308 Ukraine 267 Hong Kong 253 Pakistan 238 Hungary 226 Finland 220 New Zealand 217 Czech Republic 206 Romania 177 Belgium 163 Austria 153 Iran 147 Philippines 136 Portugal 135 Estonia 128 Norway 123 Saudi Arabia 122 Peru 118 Ireland 113 Panama 110 Thailand 104 Malaysia 88 Kuwait 87 Israel 77 Uruguay 73 Azerbaijan 69 Singapore 61 United Arab Emirates 59 El Salvador 58 Bangladesh 55 Slovenia 53 Greece 51 Belarus 51 Kenya 46 Bulgaria 45 Paraguay 45 Slovakia 43 Oman 41 Ecuador 41 Lithuania 41 Morocco 38 Honduras 37 Dominican Republic 31 Guatemala 31 Seychelles 30 Puerto Rico 24 Latvia 22 Macedonia 21 Luxembourg 20 Qatar 19 Kazakhstan 19 Kyrgyzstan 18 Nicaragua 17 Croatia 17 Cyprus 17 Lebanon 16 Algeria 15 Jordan 14 Bahrain 14 Costa Rica 12 Ghana 12 Moldova 12 Syrian Arab Republic 11 Nigeria 11 Uzbekistan 10 Bolivia 10 Holy See (vatican City State) 10 Iraq 10 Trinidad And Tobago 9 Bosnia And Herzegovina 9 Iceland 8 Cameroon 8 Palestinian Territory 8 Tanzania 7 Georgia 7 Ivory Coast 7 Mauritius 7 Myanma 7 Zambia 6 Angola 6 Armenia 6 Mozambique 6 Sri Lanka 5 French Polynesia 5 Liberia 5 Montenegro 4 Palau 4 Tunisia 3 Afghanistan 3 Aruba 3 Fiji 3 Malawi 3 Nepal 2 Aland Islands 2 Bahamas 2 Bermuda 2 Cuba 2 Guam 2 Rwanda 2 Uganda 1 Andorra 1 Belize 1 Benin 1 Botswana 1 Cambodia 1 Cayman Islands 1 Guinea 1 Martinique 1 Papua New Guinea 1 Republic of the Congo 1 Reunion
Some days after the leak, another threat on the same forum was published. A threat actor shared the dumped data from the list of vulnerable devices, that contains all the “sslpvn_websession” files for every IP.
— Bank Security (@Bank_Security) November 24, 2020
As observed, these files reveal usernames, passwords, access levels (e.g., “full-access”, “root”), and the original unmasked IP addresses of the users connected to the VPNs.
The details exfiltrated from the vulnerable Fortinet VPNs and posted also on the forum is a file with a few megabytes, but expands over 7 GB when decompressed.
The exposure of passwords in these files can be abused by criminals to get a successful connection to the organization’s internal networks and bypass security restrictions as attackers are using, in some cases, high-privileged accounts. In other scenarios, these credentials could be reused by anyone with access to this dump to perform credential stuffing attacks.
Impact this leak
Although this flaw was been disclosed more than a year ago, several companies have yet to patch their systems – despite the many warnings from the security experts. As a result of this leak, an attacker can access the sslvpn_websession files from Fortinet VPNs to steal login credentials, which then could be used to compromise a network and deploy malware.
In Portugal, 136 devices are vulnerable and were shared in this leak.
Many professionals have already validated these credentials. A successful login to a VPN Fortinet portal of a random organization, and successful authentication through the VPN Fortinet client with a leaked password can be seen in the next images.
At last, but not least, this is the time to implement an efficient patch management process and to fix a vulnerability after 2 years of its public disclosure.
FortiOS 6.0 – 6.0.0 to 6.0.4
FortiOS 5.6 – 5.6.3 to 5.6.7
FortiOS 5.4 – 5.4.6 to 5.4.12
(other branches and versions than above are not impacted)
ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled.
Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.
More details here: https://www.fortiguard.com/psirt/FG-IR-18-384
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.