The FBI and the CISA are warning that APT nation-state actors are actively exploiting known security vulnerabilities in the Fortinet FortiOS cybersecurity operating system, affecting the company’s SSL VPN products.

Cyberattackers are scanning devices on ports 4443, 8443 and 10443, looking for unpatched Fortinet security implementations. Specifically, APTs are exploiting CVE-2018-13379, CVE-2019-5591 and CVE-2020-12812.

The bug tracked as CVE-2018-13379 is a path-traversal issue in Fortinet FortiOS, where the SSL VPN web portal allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests.

The CVE-2019-5591 flaw is a default-configuration vulnerability in FortiOS that could allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.

CVE-2020-12812 is an improper authentication vulnerability in SSL VPN in FortiOS, which could allow a user to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.

“CVE-2018-13379 is a critical vulnerability in the Fortinet FortiOS SSL VPN that has been favored by cybercriminals since exploit details became public in August 2019,” Satnam Narang, staff research engineer at Tenable, said via email. “In fact, Tenable’s 2020 Threat Landscape Retrospective placed it in our Top 5 Vulnerabilities of 2020 because we see threat actors continue to leverage it in the wild, well over a year after it was first disclosed.”

How to be Protected ?

The FBI and CISA suggest a range of best practices to help organizations thwart these and other attacks:

  • Immediately patch CVEs 2018-13379, 2020-12812 and 2019-5591.
  • If FortiOS is not used by your organization, add key artifact files used by FortiOS to your organization’s execution-deny list. Any attempts to install or run this program and its associated files should be prevented.
  • Regularly back up data, air-gap and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the primary system where the data resides.
  • Implement network segmentation.
  • Require administrator credentials to install software.
  • Implement a recovery plan to restore sensitive or proprietary data from a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).
  • Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
  • Use multifactor authentication where possible.
  • Regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts. Implement the shortest acceptable timeframe for password changes.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Install and regularly update antivirus and anti-malware software on all hosts.
  • Consider adding an email banner to emails received from outside your organization.
  • Disable hyperlinks in received emails.
  • Focus on awareness and training. Provide users with training on information security principles and techniques, particularly on recognizing and avoiding phishing emails.