Fortinet’s 50,000 VPN Leak Highlights Lack of Cyber Hygiene
Posted on Dec 2, 2020 | By Pavithra Shankar
A threat hacker group named “Pumpedkicks” has leaked credentials for 50,000 Fortinet VPN devices that impact 140 countries around the world. Check out CSW’s analysis and recommendations for this vulnerability.
This breach was noticed five days ago by Bank Security who tweeted that 49,577 IPs are vulnerable to Fortinet SSL VPN vulnerability CVE-2018-13379. The threat actors have also posted one-line exploits that could be used on CVE-2018-13379 to steal VPN credentials from these devices.
This vulnerability exists in Fortinet with an improper limitation of a pathname to a restricted directory (“Path Traversal”) issue and it affects FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 , and 5.4.6 to 5.4.12. Under SSL VPN web portal it allows an unauthenticated attacker to download system files via special crafted HTTP resource requests. NVD has rated this vulnerability with a CVSS V3 Score 9.8 of critical severity.
CSW Researchers analyzed and found the following information about this vulnerability -
| CVE ID |
Exploits |
APT Group |
Mitigation |
|---|---|---|---|
| CVE-2018-13379 | Web App | APT5 |
CISA and FBI issued a warning last month underlining the US state's attacks, local, tribal and territorial government networks in which attackers are merging VPN and Windows vulnerabilities.
This breach affects many large enterprises, financial institutions, and government organizations all over the world. The USA tops the list of countries with more than 10,000 vulnerable devices followed by China and Japan.
The following are the list of affected countries and the count of vulnerable devices.
Users of these devices are advised to change their credentials and passwords. What makes this breach critical is the fact that even if Fortinet were to release a patch for this vulnerability today, the exposed credentials can be used by anyone to access these VPNs. Therefore, changing the password credentials is the first thing that organizations ought to do.
Impact of this leak
This leak can enable an attacker to access the sslvpn_websession files from Fortinet VPNs to steal login credentials, which could then compromise a network to deploy malware.
For over a year, Fortinet has urged its customers to patch their systems which have been ignored. Multiple security agencies have issued alerts about this vulnerability and yet we have 50,000+ vulnerable devices around the world which highlights bad patch management and lack of cyber hygiene in organizations.
The following are our recommendations for network administrators and security professionals -
- Check out Fortinet’s security advisory here and upgrade the devices
- Changing password credentials is critical
- Implementing multi-factor authentication for passwords is essential.
Never miss a patch or an update with CSW’s Patch Watch Newsletter. Subscribe now!
