FBI Warning: Recent FortiOS Vulnerabilities

The FBI recently released a warning on hackers using a trio of vulnerabilities that are present on some Fortinet Firewalls. Attackers are leveraging these three distinct vulnerabilities to gain access to the networks.   

The first vulnerability, CVE-2018-13379, allows an attacker to download firewall system files under the SSL VPN web portal using HTTP.  Attackers scan ports 4443, 8443, and 10443 to see if this is available. If so, they utilize vulnerability CVE-2020-12812 to allow an attacker to log in without using a second factor authentication. Finally, the attackers utilize CVE-2019-5591 to sniff traffic going to a legitimate LDAP server internally. 

Utilizing all three of these attacks allows the attacker to gain more access into the network. Each one of these vulnerabilities is present in different versions of code. If the device runs an earlier version of code then it may require it may require multiple upgrades. 

This is a sophisticated attack, that requires multiple exploitable vulnerabilities to work. Only a select number of firewalls are vulnerable to this attack. Thrive observed that less than 1% of its customer deployments are on the firmware versions contained in this notification. 

In general, our engineering team recommends all Fortinet firewall be upgraded to 6.4.4 if possible. 

If you have any questions, please feel free to contact us.