Monday, November 29, 2021

Thousands of Fortinet VPN users may be at risk after leak of credentials

Over a year ago, Fortinet warned customers of its FortiOS SSL VPN devices to upgrade to the latest version of the operating system, reset passwords and make two-factor authentication mandatory for users to snuff out attacks that could lead to a network intrusion.

Any IT administrator that hasn’t followed that advice is in big trouble now that news has emerged that a hacker has leaked the credentials for almost 50,000 vulnerable Fortinet VPNs and has dumped a file with “sslvpn_websession” files for every IP that had been on the list.

The report comes from Bleeping Computer, which says anyone can copy these files that include usernames, passwords, access levels (e.g. “full-access”), and the original unmasked IP addresses of users connected to the Fortinet VPNs. The vulnerability has been given the number CVE-2018-13379.

The exposure of passwords in these files means that even if the vulnerable Fortinet VPNs are later patched, these credentials could be reused by anyone with access to the dump in credential stuffing attacks, or to potentially regain access to these VPNs, the news article argues.

That suggests changing passwords and adding 2FA is vital.

In May 2019, Fortinet warned that a path traversal vulnerability in the FortiOS SSL VPN web portal had been discovered that could allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.

Affected products have the following operating systems: FortiOS 6.0 – 6.0.0 to 6.0.4; FortiOS 5.6 – 5.6.3 to 5.6.7; and  FortiOS 5.4 – 5.4.6 to 5.4.12. The solution is to upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.

Fortinet says it has repeatedly warned customers of the need to update their operating systems, but apparently, the vulnerability has been exploited many times due to a lack of patching. Bleeping Computer says the same flaw was used by attackers to recently break into U.S. government elections support systems.

In July, Fortinet reminded customers in a blog that Canadian and U.K. cybersecurity authorities were warning that an advanced threat group researchers dub APT29 was using several vulnerabilities, including the Fortinet VPN flaw, to steal COVID-19 research.

 

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News