Hacking

The global impact of the Fortinet 50.000 VPN leak posted online

The global impact of the Fortinet 50.000 VPN leak posted online, with many countries impacted, including Portugal.

A compilation of one-line exploit tracked as CVE-2018-13379 and that could be used to steal VPN credentials from nearly 50.000 Fortinet VPN devices has posted online.

This vulnerability resides in an improper limitation of a pathname to a restricted directory (“Path Traversal”) in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests. According to NIST NVD, the flaw has a CVSS base score of 9.8 – CRITICAL.

The compilation contains 49,577 IP addresses vulnerable to Fortinet SSL VPN CVE-2018-13379, according to Bank Security, who first noticed the leak on Twitter.

In detail, the exploitation of the critical Fortinet vulnerability puts the attacker in a privileged place, with access to the sensitive “sslvpn_websession” files from Fortinet VPNs.

After analyzing the leaked data, we noticed the list of vulnerable targets includes domains belonging to large enterprises, financial institutions, and government organizations from all over the world. In order to understand the volume and impact of this threat, we organized all the data on a geographic map presented below.

Geomap of impacted countries

As observed, the USA is the most impacted country, with a total of 10.103 vulnerable devices shared in this leak. China, Japan, Korea, Brazil, Germany, United Kingdom, Spain, Italy, and Spain are part of the TOP 10 most impacted countries. Also, Portugal can be found in this list, with 136 devices vulnerable. Next, the complete list of this analysis is presented.

Complete list of affected countries

  • 10103 United States
  • 6336 China
  • 2821 Japan
  • 2543 Korea
  • 2280 Brazil
  • 2212 Germany
  • 2127 United Kingdom
  • 1547 Spain
  • 1370 Italy
  • 1294 France
  • 1096 Australia
  • 981 Russian Federation
  • 847 Netherlands
  • 761 Argentina
  • 688 Taiwan
  • 648 Canada
  • 575 Egypt
  • 569 Colombia
  • 520 South Africa
  • 444 India
  • 424 Poland
  • 400 Sweden
  • 397 Indonesia
  • 384 Denmark
  • 374 Mexico
  • 367 Switzerland
  • 364 Turkey
  • 353 Chile
  • 344 Viet Nam
  • 325 Venezuela
  • 308 Ukraine
  • 267 Hong Kong
  • 253 Pakistan
  • 238 Hungary
  • 226 Finland
  • 220 New Zealand
  • 217 Czech Republic
  • 206 Romania
  • 177 Belgium
  • 163 Austria
  • 153 Iran
  • 147 Philippines
  • 136 Portugal
  • 135 Estonia
  • 128 Norway
  • 123 Saudi Arabia
  • 122 Peru
  • 118 Ireland
  • 113 Panama
  • 110 Thailand
  • 104 Malaysia
  • 88 Kuwait
  • 87 Israel
  • 77 Uruguay
  • 73 Azerbaijan
  • 69 Singapore
  • 61 United Arab Emirates
  • 59 El Salvador
  • 58 Bangladesh
  • 55 Slovenia
  • 53 Greece
  • 51 Belarus
  • 51 Kenya
  • 46 Bulgaria
  • 45 Paraguay
  • 45 Slovakia
  • 43 Oman
  • 41 Ecuador
  • 41 Lithuania
  • 41 Morocco
  • 38 Honduras
  • 37 Dominican Republic
  • 31 Guatemala
  • 31 Seychelles
  • 30 Puerto Rico
  • 24 Latvia
  • 22 Macedonia
  • 21 Luxembourg
  • 20 Qatar
  • 19 Kazakhstan
  • 19 Kyrgyzstan
  • 18 Nicaragua
  • 17 Croatia
  • 17 Cyprus
  • 17 Lebanon
  • 16 Algeria
  • 15 Jordan
  • 14 Bahrain
  • 14 Costa Rica
  • 12 Ghana
  • 12 Moldova
  • 12 Syrian Arab Republic
  • 11 Nigeria
  • 11 Uzbekistan
  • 10 Bolivia
  • 10 Holy See (vatican City State)
  • 10 Iraq
  • 10 Trinidad And Tobago
  • 9 Bosnia And Herzegovina
  • 9 Iceland
  • 8 Cameroon
  • 8 Palestinian Territory
  • 8 Tanzania
  • 7 Georgia
  • 7 Ivory Coast
  • 7 Mauritius
  • 7 Myanma
  • 7 Zambia
  • 6 Angola
  • 6 Armenia
  • 6 Mozambique
  • 6 Sri Lanka
  • 5 French Polynesia
  • 5 Liberia
  • 5 Montenegro
  • 4 Palau
  • 4 Tunisia
  • 3 Afghanistan
  • 3 Aruba
  • 3 Fiji
  • 3 Malawi
  • 3 Nepal
  • 2 Aland Islands
  • 2 Bahamas
  • 2 Bermuda
  • 2 Cuba
  • 2 Guam
  • 2 Rwanda
  • 2 Uganda
  • 1 Andorra
  • 1 Belize
  • 1 Benin
  • 1 Botswana
  • 1 Cambodia
  • 1 Cayman Islands
  • 1 Guinea
  • 1 Martinique
  • 1 Papua New Guinea
  • 1 Republic of the Congo
  • 1 Reunion

Reunion Some days after the leak, another threat on the same forum was published. A threat actor shared the dumped data from the list of vulnerable devices, that contains all the “sslpvn_websession” files for every IP.

As observed, these files reveal usernamespasswordsaccess levels (e.g., “full-access”, “root”), and the original unmasked IP addresses of the users connected to the VPNs.

The details exfiltrated from the vulnerable Fortinet VPNs and posted also on the forum is a file with a few megabytes, but expands over 7 GB when decompressed.

The exposure of passwords in these files can be abused by criminals to get a successful connection to the organization’s internal networks and bypass security restrictions as attackers are using, in some cases, high-privileged accounts. In other scenarios, these credentials could be reused by anyone with access to this dump to perform credential stuffing attacks.

Impact this leak

Although this flaw was been disclosed more than a year ago, several companies have yet to patch their systems – despite the many warnings from the security experts. As a result of this leak, an attacker can access the sslvpn_websession files from Fortinet VPNs to steal login credentials, which then could be used to compromise a network and deploy malware.

In Portugal, 136 devices are vulnerable and were shared in this leak.

Many professionals have already validated these credentials. A successful login to a VPN Fortinet portal of a random organization, and successful authentication through the  VPN Fortinet client with a leaked password can be seen in the next images.

At last, but not least, this is the time to implement an efficient patch management process and to fix a vulnerability after 2 years of its public disclosure.

Affected Products
FortiOS 6.0 – 6.0.0 to 6.0.4
FortiOS 5.6 – 5.6.3 to 5.6.7
FortiOS 5.4 – 5.4.6 to 5.4.12

(other branches and versions than above are not impacted)

ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled.

Solutions
Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.

More details here: https://www.fortiguard.com/psirt/FG-IR-18-384

Original Post at https://seguranca-informatica.pt/the-global-impact-of-the-fortinet-50-000-vpn-leak-posted-online/#.X8Dk581Kg2x

About the authors: Pedro Tavares

Pedro Tavares is a professional in the field of information security, working as an Ethical Hacker, Malware Analyst, Cybersecurity Analyst and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

3 hours ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

7 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

21 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.