The global impact of the Fortinet 50.000 VPN leak posted online

The global impact of the Fortinet 50.000 VPN leak posted online, with many countries impacted, including Portugal.

A compilation of one-line exploit tracked as CVE-2018-13379 and that could be used to steal VPN credentials from nearly 50.000 Fortinet VPN devices has posted online.

This vulnerability resides in an improper limitation of a pathname to a restricted directory (“Path Traversal”) in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests. According to NIST NVD, the flaw has a CVSS base score of 9.8 – CRITICAL.

The compilation contains 49,577 IP addresses vulnerable to Fortinet SSL VPN CVE-2018-13379, according to Bank Security, who first noticed the leak on Twitter.

In detail, the exploitation of the critical Fortinet vulnerability puts the attacker in a privileged place, with access to the sensitive “sslvpn_websession” files from Fortinet VPNs.

After analyzing the leaked data, we noticed the list of vulnerable targets includes domains belonging to large enterprises, financial institutions, and government organizations from all over the world. In order to understand the volume and impact of this threat, we organized all the data on a geographic map presented below.

Geomap of impacted countries

As observed, the USA is the most impacted country, with a total of 10.103 vulnerable devices shared in this leak. China, Japan, Korea, Brazil, Germany, United Kingdom, Spain, Italy, and Spain are part of the TOP 10 most impacted countries. Also, Portugal can be found in this list, with 136 devices vulnerable. Next, the complete list of this analysis is presented.

Complete list of affected countries

• 10103 United States
• 6336 China
• 2821 Japan
• 2543 Korea
• 2280 Brazil
• 2212 Germany
• 2127 United Kingdom
• 1547 Spain
• 1370 Italy
• 1294 France
• 1096 Australia
• 981 Russian Federation
• 847 Netherlands
• 761 Argentina
• 688 Taiwan
• 648 Canada
• 575 Egypt
• 569 Colombia
• 520 South Africa
• 444 India
• 424 Poland
• 400 Sweden
• 397 Indonesia
• 384 Denmark
• 374 Mexico
• 367 Switzerland
• 364 Turkey
• 353 Chile
• 344 Viet Nam
• 325 Venezuela
• 308 Ukraine
• 267 Hong Kong
• 253 Pakistan
• 238 Hungary
• 226 Finland
• 220 New Zealand
• 217 Czech Republic
• 206 Romania
• 177 Belgium
• 163 Austria
• 153 Iran
• 147 Philippines
• 136 Portugal
• 135 Estonia
• 128 Norway
• 123 Saudi Arabia
• 122 Peru
• 118 Ireland
• 113 Panama
• 110 Thailand
• 104 Malaysia
• 88 Kuwait
• 87 Israel
• 77 Uruguay
• 73 Azerbaijan
• 69 Singapore
• 61 United Arab Emirates
• 59 El Salvador
• 58 Bangladesh
• 55 Slovenia
• 53 Greece
• 51 Belarus
• 51 Kenya
• 46 Bulgaria
• 45 Paraguay
• 45 Slovakia
• 43 Oman
• 41 Ecuador
• 41 Lithuania
• 41 Morocco
• 38 Honduras
• 37 Dominican Republic
• 31 Guatemala
• 31 Seychelles
• 30 Puerto Rico
• 24 Latvia
• 22 Macedonia
• 21 Luxembourg
• 20 Qatar
• 19 Kazakhstan
• 19 Kyrgyzstan
• 18 Nicaragua
• 17 Croatia
• 17 Cyprus
• 17 Lebanon
• 16 Algeria
• 15 Jordan
• 14 Bahrain
• 14 Costa Rica
• 12 Ghana
• 12 Moldova
• 12 Syrian Arab Republic
• 11 Nigeria
• 11 Uzbekistan
• 10 Bolivia
• 10 Holy See (vatican City State)
• 10 Iraq
• 10 Trinidad And Tobago
• 9 Bosnia And Herzegovina
• 9 Iceland
• 8 Cameroon
• 8 Palestinian Territory
• 8 Tanzania
• 7 Georgia
• 7 Ivory Coast
• 7 Mauritius
• 7 Myanma
• 7 Zambia
• 6 Angola
• 6 Armenia
• 6 Mozambique
• 6 Sri Lanka
• 5 French Polynesia
• 5 Liberia
• 5 Montenegro
• 4 Palau
• 4 Tunisia
• 3 Afghanistan
• 3 Aruba
• 3 Fiji
• 3 Malawi
• 3 Nepal
• 2 Aland Islands
• 2 Bahamas
• 2 Bermuda
• 2 Cuba
• 2 Guam
• 2 Rwanda
• 2 Uganda
• 1 Andorra
• 1 Belize
• 1 Benin
• 1 Botswana
• 1 Cambodia
• 1 Cayman Islands
• 1 Guinea
• 1 Martinique
• 1 Papua New Guinea
• 1 Republic of the Congo
• 1 Reunion

Reunion Some days after the leak, another threat on the same forum was published. A threat actor shared the dumped data from the list of vulnerable devices, that contains all the “sslpvn_websession” files for every IP.

As observed, these files reveal usernames, passwords, access levels (e.g., “full-access”, “root”), and the original unmasked IP addresses of the users connected to the VPNs.

The details exfiltrated from the vulnerable Fortinet VPNs and posted also on the forum is a file with a few megabytes, but expands over 7 GB when decompressed.

The exposure of passwords in these files can be abused by criminals to get a successful connection to the organization’s internal networks and bypass security restrictions as attackers are using, in some cases, high-privileged accounts. In other scenarios, these credentials could be reused by anyone with access to this dump to perform credential stuffing attacks.

Impact this leak

Although this flaw was been disclosed more than a year ago, several companies have yet to patch their systems – despite the many warnings from the security experts. As a result of this leak, an attacker can access the sslvpn_websession files from Fortinet VPNs to steal login credentials, which then could be used to compromise a network and deploy malware.

In Portugal, 136 devices are vulnerable and were shared in this leak.

Many professionals have already validated these credentials. A successful login to a VPN Fortinet portal of a random organization, and successful authentication through the  VPN Fortinet client with a leaked password can be seen in the next images.

At last, but not least, this is the time to implement an efficient patch management process and to fix a vulnerability after 2 years of its public disclosure.

Affected Products
FortiOS 6.0 – 6.0.0 to 6.0.4
FortiOS 5.6 – 5.6.3 to 5.6.7
FortiOS 5.4 – 5.4.6 to 5.4.12

(other branches and versions than above are not impacted)

ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled.

Solutions
Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.

More details here: https://www.fortiguard.com/psirt/FG-IR-18-384

Original Post at https://seguranca-informatica.pt/the-global-impact-of-the-fortinet-50-000-vpn-leak-posted-online/#.X8Dk581Kg2x

About the authors: Pedro Tavares

Pedro Tavares is a professional in the field of information security, working as an Ethical Hacker, Malware Analyst, Cybersecurity Analyst and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]