FortiOS system file leak through SSL VPN
Hackers are actively trying to steal passwords from SSL VPN. Fortinet VPN server found vulnerable to disclose of username and password in plain text. FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests. The credit goes to Meh Chang and Orange Tsai from DEVCORE Security Research Team for vulnerability identification recently.
Hackers hit FortiOS recently. Below are the fortinet affected products:
- 6.0 – 6.0.0 to 6.0.4,
- 5.6 – 5.6.3 to 5.6.7,
- 5.4 – 5.4.6 to 5.4.12
furthermore, there is no impact in other branches and versions. Only if the SSL VPN service (web-mode or tunnel-mode) is enabled.
Well, upgrade to FortiOS 5.6.8 or above, 6.0.5 or above, 6.2.0 or above, or upcoming 5.4.13.
As a temporary solution, the only workaround is to totally disable the SSL-VPN service (both web-mode and tunnel-mode)
Furthermore, SSL VPN users with local authentication can mitigate the impact by enabling Two-Factor Authentication (2FA).
I would say, it can be a good security practice for VPN access using 2FA.
The researchers reported flaws to Fortinet on Dec. 11, 2018.
In addition, they noted, among the largest 500 publicly traded U.S. companies, just three SSL VPN vendors commanded 75 percent market share. “The diversity of SSL VPN is narrow. Therefore, once we find a critical vulnerability on the leading SSL VPN, the impact is huge,” they said. “There is no way to stop us because SSL VPN must be exposed to the internet.”
To conclude, Login is not possible with the password only if 2FA enabled for SSL VPN.
Shree is based in Butwal, Nepal. Shree holds a degree in M.Sc. (IT) and began working at New Horizons, Nepal Center in 2007-2012. After that Shree contributes to various reputed firms in Kathmandu with his years’ of experiences in Teaching, IT administration, Management and Consulting Services especially in Payment/Software industries (IT infrastructures and Security solution). Check about page for details!