Fortinet backdoored FortiOS or hackers did for monitoring since last 5 years

About a week ago, two reports of vulnerabilities affecting the Virtual Private Network (VPN) Secure Socket Layer (SSL) systems of Fortinet appeared. According to the experts who revealed these flaws, a hacker group has begun exploiting these vulnerabilities in FortiGate and Pulse Connect Secure SSL VPNs.

Fortinet’s engineers implemented a very bad method of authentication in operating system on its firewall. This allows an unauthenticated attacker to modify the password of  SSL VPN portal. It seems it was intentionally done as it has been done very poorly. They had implemented a special parameter called “magic” which allowed the change of password. This seems like a back door which cold have been done by the company intentionally or some hackers like in the case of IMPERVA another company which said hackers were having backdoors in their systems since 2017.

There is an exploit available for exploiting this vulnerability in github. You can see the details of exploit in the screen and forums where experts are talking about this backdoor.

Vulnerabilities in
FortiGate SSL VPN

Experts Orange Tsai and Meh Chang, from DEVCORE researchersteam, published the second part of their research on security flaws in SSL VPNs; the first part of the investigation focused on the CVE-2019-1579 vulnerability, a critical security flaw prior to authentication.

The research presents 5 security vulnerabilities during a vulnerability assessment, which are shown below, along with the score assigned to each by the Common Vulnerabiltiy Scoring System (CVSS):

  • CVE-2018-13379: It is an arbitrary file read vulnerability with a score of 9.1/10 on the CVSS scale
  • CVE-2018-13380: Cross-Site Script vulnerability (XSS) with a score of 6.1/10
  • CVE-2018-13381: Pre-authentication heap overflow vulnerability with 7.5 score on CVSS
  • CVE-2018-13382: It’s an inappropriate authorization flaw with a score of 7.5/10
  • CVE-2018-13383: Post-authentication heap overflow vulnerability with 6.5/10 score

Apparently, hackers exploit the CVE-2018-13379
flaw, an arbitrary file read vulnerability prior to authentication in the way
FortiOS requests a system language file. Experts mentioned that by exploiting
this vulnerability, hackers can read the content of
“sslvpn_websession”, a file containing a username and the
corresponding password are formatted on the compromised system.

In their report, experts add that it is even
possible to combine this flaw with CVE-2018-13383 (post-authentication heap
overflow) in FortiGate WebVPN. This flaw could be triggered when the attacker
instructs the SSL VPN to proxy to a web server under its control, which hosts
an exploit file.

On the other hand, the CVE-2018-13382
vulnerability, dubbed by researchers as “magic backdoor”, takes
advantage of a special parameter called “magic”, used by hackers as a
secret key to reset a password without the need for other forms of authentication.

Hackers began searching for vulnerable
endpoints on the Pulse Connect Secure VPN server after the release of a
proof-of-concept for the CVE-2019-11510 arbitrary file disclosure flaw. Similar
to CVE-2018-13379, this vulnerability is used by hackers to find exposed
systems to recover unencrypted usernames and passwords.

If successfully authenticated, hackers can use
the CVE-2019-11539 (command injection in the administrator’s web interface)
vulnerability to access restricted environments.

As a precautionary measure, customers running vulnerable versions of FortiGate are encouraged to upgrade to the latest versions as soon as possible.

To Top

Pin It on Pinterest

Share This