A threat actor has recently disclosed SSL-VPN access information to 87,000 FortiGate SSL-VPN devices, Fortinet has confirmed.
Unpatched CVE-2018-13379 in FortiGate SSL-VPN Devices Caused the Leak
According to the statement, the said credentials were taken from systems that remained unpatched against a specific vulnerability – CVE-2018-13379 – which was revealed in May 2019. Back then, the company issued an advisory and communicated directly with their customers, and has been encouraging them to upgrade the affected devices. However, as it turns out, many devices were left unpatched and hence, vulnerable to attacks and exploits.
Here’s the vulnerability’s official description:
An Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.
Even though the devices may have since been patched, they remain exposed if their passwords weren’t reset, Fortinet warned.
Following this incident, the company is urging customers and organizations running any of the affected versions, to upgrade their devices and perform password reset as explain in their customer support bulletin. In other words, all affected parties should upgrade to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above. More information is available in Fortinet’s original alert.
In June 2021, Security researchers issued a warning that cybercriminals were leveraging an older SQL injection security flaw, known as CVE-2019-7481. The vulnerability is located in SonicWall Secure Remote Access (SRA) 4600 devices that run firmware versions 8.x and 9.x. The flaw was deployed in attacks against various organizations.