49,000 Vulnerable Fortinet VPNs, Unpatched for Almost Two Years

Dec 03, 2020

49,000 Vulnerable Fortinet VPNs, Unpatched for Almost Two Years Image

Almost two years ago, a vulnerability on many Fortinet FortiOS SSL VPN devices was discovered and subsequently patched. Despite this, around 50,000 targets have continued to go unpatched and are still open to attackers. A threat actor has gone out and done the hard work of compiling a 49,577-long list of these vulnerable devices and has posted it on a hacker forum. Now, the data is up for grabs. Included amongst the 49,577 vulnerable devices are those belonging to government domains and well-known banks and finance companies.

“In May 2019, Fortinet issued a PSIRT advisory regarding an SSL vulnerability that was resolved, and have also communicated directly with customers and again via corporate blog posts in August 2019 and July 2020 strongly recommending an upgrade. In the last week, we have communicated with all customers notifying them again of the vulnerability and steps to mitigate.”

Fortinet update on Novermber 23rd, 2020

The vulnerability referred to above is CVE-2018-13379, a path traversal flaw impacting unpatched Fortinet FortiOS SSL VPN devices. This vulnerability allows unauthenticated, remote attackers to access system files via specially crafted HTTP requests. The exploit posted by the threat actor lets attackers access the sslvpn_websession files from Fortinet VPNs to steal login credentials. These stolen credentials can then be used to compromise a network and deploy ransomware.

Companies are sometimes slow at patching these vulnerabilities despite receiving prompt notice and known resolutions. These organizations were given extensive forewarning of this specific vulnerability yet have not taken the measures to fix it. In other words, there is no excuse for this not being patched at this point. If it is a matter of cost for these companies, what is the price of negligence and a potential breach? What will it take for organizations to add the personnel resources and budget necessary to become proactive about their security initiatives instead of reactive? When will organizations learn that kicking the can down the road is not an effective strategy when it comes to cybersecurity? Will it be the release and exploitation of their intellectual property or their consumer’s data? A ransomware outbreak encrypting their company’s data and availability to do business?

“Secuvant’s SOC sees brute force attempts and Apache web attacks on customers’ SSL VPN portals every day. Having an exposed SSL VPN increases the likelihood of session leakage, cross-site scripting attacks, heap overflows, and reading of files by bad actors.”

Secuvant’s Director of Security Operations, Eric Peterson

Secuvant customers want to be out of the headlines and avoid a tarnished reputation. One way or another, organizations end up paying for a loose patch schedule or continuing to expose vulnerabilities such as Fortinet’s VPN CVE to the world. Implementing a proactive cybersecurity program always reduces the attack surface and improves a company’s risk posture, saving them from externalities. Actively addressing open vulnerabilities in your organization provides Executives and Stakeholders peace of mind by providing a level of cyber certainty by controlling what you can control, which is a comprehensive patch management program.

About Secuvant

Located in Salt Lake City, Utah, Secuvant is a global leader in integrated cyber threat analytics and risk advisory services, built on a value system of client focus, integrity, accountability, execution, and teamwork. Secuvant’s mission is to provide clients with a Clear Path Forward in their pursuit of establishing an acceptable security risk posture. Secuvant’s success is built upon strict adherence to its values, a functioning world-class advisory board, the unique combination of cybersecurity expertise and industry / vertical specialization, and a team of experts that repeatedly deliver best-in-class managed and advisory cybersecurity and risk services. Secuvant understands Cyber Risk is Business Risk™ and uses methodologies and metrics aimed at minimizing business risk. Services include, but are not limited to, Security Gap and Risk Assessments, Risk Program Management, Executive and Board Cyber Advisory, Penetration Testing, Security Monitoring, Managed Detection and Response and Incident Response services. To learn more, visit www.secuvant.com.