Over a year ago, Fortinet warned customers of its FortiOS SSL VPN devices to upgrade to the latest version of the operating system, reset passwords and make two-factor authentication mandatory for users to snuff out attacks that could lead to a network intrusion.
Any IT administrator that hasn’t followed that advice is in big trouble now that news has emerged that a hacker has leaked the credentials for almost 50,000 vulnerable Fortinet VPNs and has dumped a file with “sslvpn_websession” files for every IP that had been on the list.
The report comes from Bleeping Computer, which says anyone can copy these files that include usernames, passwords, access levels (e.g. “full-access”), and the original unmasked IP addresses of users connected to the Fortinet VPNs. The vulnerability has been given the number CVE-2018-13379.
The exposure of passwords in these files means that even if the vulnerable Fortinet VPNs are later patched, these credentials could be reused by anyone with access to the dump in credential stuffing attacks, or to potentially regain access to these VPNs, the news article argues.
That suggests changing passwords and adding 2FA is vital.
In May 2019, Fortinet warned that a path traversal vulnerability in the FortiOS SSL VPN web portal had been discovered that could allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.
Affected products have the following operating systems: FortiOS 6.0 – 6.0.0 to 6.0.4; FortiOS 5.6 – 5.6.3 to 5.6.7; and FortiOS 5.4 – 5.4.6 to 5.4.12. The solution is to upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.
Fortinet says it has repeatedly warned customers of the need to update their operating systems, but apparently, the vulnerability has been exploited many times due to a lack of patching. Bleeping Computer says the same flaw was used by attackers to recently break into U.S. government elections support systems.
In July, Fortinet reminded customers in a blog that Canadian and U.K. cybersecurity authorities were warning that an advanced threat group researchers dub APT29 was using several vulnerabilities, including the Fortinet VPN flaw, to steal COVID-19 research.