The global impact of the Fortinet 50.000 VPN leak posted online, with many countries impacted, including Portugal.

A compilation of one-line exploit tracked as CVE-2018-13379 and that could be used to steal VPN credentials from nearly 50.000 Fortinet VPN devices has posted online.

This vulnerability resides in an improper limitation of a pathname to a restricted directory (“Path Traversal”) in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests. According to NIST NVD, the flaw has a CVSS base score of 9.8 – CRITICAL.

The compilation contains 49,577 IP addresses vulnerable to Fortinet SSL VPN CVE-2018-13379, according to Bank Security, who first noticed the leak on Twitter.

 

In detail, the exploitation of the critical Fortinet vulnerability puts the attacker in a privileged place, with access to the sensitive “sslvpn_websession” files from Fortinet VPNs.

After analyzing the leaked data, we noticed the list of vulnerable targets includes domains belonging to large enterprises, financial institutions, and government organizations from all over the world. In order to understand the volume and impact of this threat, we organized all the data on a geographic map presented below.

 

Geomap of impacted countries

 

As observed, the USA is the most impacted country, with a total of 10.103 vulnerable devices shared in this leak. China, Japan, Korea, Brazil, Germany, United Kingdom, Spain, Italy, and France are part of the TOP 10 most impacted countries. Also, Portugal can be found in this list, with 136 devices vulnerable. Next, the complete list of this analysis is presented.

 

Complete list of affected countries

10103	United States
6336	China
2821	Japan
2543	Korea
2280	Brazil
2212	Germany
2127	United Kingdom
1547	Spain
1370	Italy
1294	France
1096	Australia
981	Russian Federation
847	Netherlands
761	Argentina
688	Taiwan
648	Canada
575	Egypt
569	Colombia
520	South Africa
444	India
424	Poland
400	Sweden
397	Indonesia
384	Denmark
374	Mexico
367	Switzerland
364	Turkey
353	Chile
344	Viet Nam
325	Venezuela
308	Ukraine
267	Hong Kong
253	Pakistan
238	Hungary
226	Finland
220	New Zealand
217	Czech Republic
206	Romania
177	Belgium
163	Austria
153	Iran
147	Philippines
136	Portugal
135	Estonia
128	Norway
123	Saudi Arabia
122	Peru
118	Ireland
113	Panama
110	Thailand
104	Malaysia
88	Kuwait
87	Israel
77	Uruguay
73	Azerbaijan
69	Singapore
61	United Arab Emirates
59	El Salvador
58	Bangladesh
55	Slovenia
53	Greece
51	Belarus
51	Kenya
46	Bulgaria
45	Paraguay
45	Slovakia
43	Oman
41	Ecuador
41	Lithuania
41	Morocco
38	Honduras
37	Dominican Republic
31	Guatemala
31	Seychelles
30	Puerto Rico
24	Latvia
22	Macedonia
21	Luxembourg
20	Qatar
19	Kazakhstan
19	Kyrgyzstan
18	Nicaragua
17	Croatia
17	Cyprus
17	Lebanon
16	Algeria
15	Jordan
14	Bahrain
14	Costa Rica
12	Ghana
12	Moldova
12	Syrian Arab Republic
11	Nigeria
11	Uzbekistan
10	Bolivia
10	Holy See (vatican City State)
10	Iraq
10	Trinidad And Tobago
9	Bosnia And Herzegovina
9	Iceland
8	Cameroon
8	Palestinian Territory
8	Tanzania
7	Georgia
7	Ivory Coast
7	Mauritius
7	Myanma
7	Zambia
6	Angola
6	Armenia
6	Mozambique
6	Sri Lanka
5	French Polynesia
5	Liberia
5	Montenegro
4	Palau
4	Tunisia
3	Afghanistan
3	Aruba
3	Fiji
3	Malawi
3	Nepal
2	Aland Islands
2	Bahamas
2	Bermuda
2	Cuba
2	Guam
2	Rwanda
2	Uganda 
1	Andorra
1	Belize
1	Benin
1	Botswana
1	Cambodia 
1	Cayman Islands
1	Guinea
1	Martinique
1	Papua New Guinea
1	Republic of the Congo
1	Reunion

 

Some days after the leak, another threat on the same forum was published. A threat actor shared the dumped data from the list of vulnerable devices, that contains all the “sslpvn_websession” files for every IP.

 

 

As observed, these files reveal usernames, passwords, access levels (e.g., “full-access”, “root”), and the original unmasked IP addresses of the users connected to the VPNs.

 

The details exfiltrated from the vulnerable Fortinet VPNs and posted also on the forum is a file with a few megabytes, but expands over 7 GB when decompressed.

 

The exposure of passwords in these files can be abused by criminals to get a successful connection to the organization’s internal networks and bypass security restrictions as attackers are using, in some cases, high-privileged accounts. In other scenarios, these credentials could be reused by anyone with access to this dump to perform credential stuffing attacks.

 

Impact this leak

Although this flaw was been disclosed more than a year ago, several companies have yet to patch their systems – despite the many warnings from the security experts. As a result of this leak, an attacker can access the sslvpn_websession files from Fortinet VPNs to steal login credentials, which then could be used to compromise a network and deploy malware.

In Portugal, 136 devices are vulnerable and were shared in this leak.

Many professionals have already validated these credentials. A successful login to a VPN Fortinet portal of a random organization, and successful authentication through the  VPN Fortinet client with a leaked password can be seen in the next images.

 

At last, but not least, this is the time to implement an efficient patch management process and to fix a vulnerability after 2 years of its public disclosure.

Affected Products
FortiOS 6.0 – 6.0.0 to 6.0.4
FortiOS 5.6 – 5.6.3 to 5.6.7
FortiOS 5.4 – 5.4.6 to 5.4.12

(other branches and versions than above are not impacted)

ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled.

Solutions
Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.

More details here: https://www.fortiguard.com/psirt/FG-IR-18-384

 


23 Replies to “The global impact of the Fortinet 50.000 VPN leak posted online

Deixe um comentário

O seu endereço de email não será publicado. Campos obrigatórios marcados com *