A lingering, unpatched vulnerability in Fortinet SSL VPN appliances has become a target for a new human-operated ransomware attack. Administrators of Fortinet VPNs should take steps to evaluate their versions in use and take appropriate actions. In some cases Incident Response may be necessary.
What is the nature of the threat?
FBI, CISA and NCSC have published alerts warning about massive scanning for Fortinet SSL VPN appliances vulnerable to CVE-2018-13379 exploits:
“Multiple Advanced Persistent Threat (APT) actors have been observed scanning devices on ports 4443, 8443, and 10443 for CVE-2018-13379”
Additionally, Kaspersky researchers reported that the vulnerability is mostly being exploited by a new human-operated ransomware strain known as Cring, which allows them to breach and encrypt their targets’ network.
A significant number of organizations have yet to apply the patch to their network(s). A list of approximately 50,000 IP addresses relating to unpatched devices has been published by threat actors.
The NCSC also warned that organizations using unpatched Fortinet VPN devices must assume they are now compromised, and should start removing the device from service and returning it to factory settings and begin incident response procedures.
The vulnerability can be used to extract the session file of the VPN Gateway, which contains username and plaintext passwords.
It can also lead to directory traversal attack, which an attacker can use to connect to the appliance through the internet and remotely access and download FortiOS system files.
Proof of Concept code can be found on Github, posted by user “milo2012”:
- FortiOS 6.0 – 6.0.0 to 6.0.4
- FortiOS 5.6 – 5.6.3 to 5.6.7
- FortiOS 5.4 – 5.4.6 to 5.4.12
Branches and versions other than above are not impacted, but only if the SSL VPN service (web-mode or tunnel-mode) is enabled.
Immediately patch CVEs 2018-13379, 2020-12812, and 2019-5591.
If FortiOS is not used by your organization, add key artifact files used by FortiOS to your organization’s execution deny list. Any attempts to install or run this program and its associated files should be prevented.
Additional details available here: