Security Alerts Threat Actor posts exploits for over 49,000 vulnerable Fortinet devices

Wednesday, Nov 25, 2020

Executive Summary

A Threat Actor has published a list of 49,000+ Fortinet devices vulnerable to CVE-2018-13379, a path traversal flaw utilizing the SSL-VPN Websession files, on a forum.

This vulnerability was publicly disclosed over a year ago, and at the time of disclosure, Nuspire conducted an audit of all managed devices and worked with monitoring clients to inform them of the vulnerability and options on how to mitigate.

This same vulnerability has previously been targeted by Advanced Persistent Threat Groups and Fortinet has released multiple advisories regarding it. It is critical for organizations to upgrade their firmware or perform the recommended mitigation actions to protect their organization as this vulnerability is highly targeted.

The advisory on this vulnerability can be found here: https://www.fortiguard.com/psirt/FG-IR-18-384

Recommendations

Verify your Fortinet FortiOS version. Upgrade your firmware if required or ensure the SSL-VPN service is completely disabled on your device.

Affected Products:

The following versions are vulnerable to CVE-2018-13379:

FortiOS 5.4: Versions 5.4.6 to 5.4.12
FortiOS 5.6: Versions 5.6.3 to 5.6.7
FortiOS 6.0: Versions 6.0.0 to 6.0.4

Note: the the SSL-VPN service must be enabled to be vulnerable.

Solutions:

Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above


Workarounds:

As a temporary solution, the only workaround is to completely disable the SSL-VPN service (both web-mode and tunnel-mode) by applying the following CLI commands:

config vpn ssl settings
unset source-interface
end

Note: Firewall policies tied to SSL VPN will need to be unset first for the above sequence to execute successfully.