Jump to content
OpenSecurity.global

  • Recently Browsing   0 members

    No registered users viewing this page.

Kevin Beaumont

Fortinet SSL VPN vulnerability from May 2019 being exploited in wild

By Kevin Beaumont, in Public vulnerability discussion

Recommended Posts

Kevin Beaumont    92

Kevin Beaumont
Posted

CVE-2018-13379 is being exploited in the wild on Fortigate SSL VPN firewalls.  These exist as a perimeter security control, so it's a bad vulnerability.

Using BinaryEdge.io I can see scanning activity from last night for first time for this vulnerability:

image.thumb.png.c2decdb5add261fa1f48850c0ceb1c2d.png

The scanning traffic is taking place across the whole internet it appears, spray and pray style.

The vulnerability is ridiculously easy to exploit, it's a 1996 style pre-auth ../ webserver exploit to read plain text administrator credentials:

Quote

https://sslmgr/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession

Timeline

May 24th 2019 - Vendor posts advisory - https://fortiguard.com/psirt/FG-IR-18-384

image.png.a3eb5618218e661eb10a6a5036b22d93.png

June 4th 2019 - Vendor updates advisory to correct impacted versions

August 9th 2019 - Blog explaining the different vulnerabilities in FortiOS, including this one.

August 14th 2019 - Exploit appears on GitHub and exploitation details posted in TLP Rainbow.

August 17th 2019 - Another exploit, checks if vulnerable before exploit.

August 21nd 2019 - Exploitation seen in wild.

  • Like 1

Share this post

Link to post

Kevin Beaumont    92

Kevin Beaumont
Posted
12 minutes ago, Nicholas L said:

Another good resource on this came out the 9th.

https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/

This is incredible:

Quote

In the login page, we found a special parameter called magic. Once the parameter meets a hardcoded string, we can modify any user’s password.

This security software is just awful.

Share this post

Link to post

Kevin Beaumont    92

Kevin Beaumont
Posted

I mean.. why are the passwords output, regardless of the bug? This does not feel okay, it seems super ‘completely insecure and deliberately backdoored’ to me. 

3BA645FD-7E95-4C9E-99A5-C7DBE0F01059.png

Share this post

Link to post

Daniel Cuthbert    15

Daniel Cuthbert
Posted

It does strike me as very odd for a number of reasons. First it shows how little people are actually poking at the very devices meant to protect them (fair play to the vendors here, they do make it hard to do this in some cases) and secondly how this seemingly has remained "undiscovered" for so long.

It's no secret that anything protecting the perimeter has been massaged by those who dislike perimeters and this is straight out of the OWASP Testing Guide 1.0 days in 2003

here's hoping a lot more of us now really start ripping apart security appliances as i'm sure this isn't a unique occurance.

 

 

  • Like 1

Share this post

Link to post

Tiago Henriques    2

Tiago Henriques
Posted

We did a scan on two ports for fortinet interfaces exposed-

 

Port 443 - 98115 exposed interfaces

Port 10443 - 196887 exposed interfaces

 

We will be importing these jobs on app.binaryedge.io later today.

Share this post

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go To Topic Listing

  • Members online now

    No members to show

  • Similar Content

    • Tim Corless
      WebMin backdoor being exploited in wild
      By Tim Corless
      Came across this on my travels: https://portswigger.net/daily-swig/webmin-backdoor-blamed-on-software-supply-chain-breach
      Webmin software was backdoored for over a year. If you're using one of those vulnerable versions, update now! 
      According to shodan and some google dorks, there are quite a lot still vulnerable
       
    • Kevin Beaumont
      Pulse Secure SSL VPN vulnerability being exploited in wild
      By Kevin Beaumont
      CVE-2019-11510, impacting Pulse Secure SSL VPN, is being exploited in the wild. 
      I've seen it being exploited today, a few hours ago for first time, via BinaryEdge.

       
      Timeline
      24th April 2019 - Vendor advisory.
      14th August 2019 - TLP Rainbow post.
      20th August 2019 - exploit posted publicly.
      22nd August 2019 - exploitation in wild.
      Pulse Secure is one of the "Zero Trust" secure SSL VPN systems where you get pwned by 1996 ../../ exploits.

    • Kevin Beaumont
      DejaBlue - Multiple pre-auth RCE vulnerabilities in RDP in every version of Windows including modern Windows
      By Kevin Beaumont
      CVE-2019-1181:
      https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1181
      Pre authentication remote code execution in Remote Desktop Protocol on every version of Windows, including Windows 10, 2012, 2016 and 2019. CVSS 9.7 score. Exploitation more likely than not. 
      CVE-2019-1182:
      https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1182
      Pre authentication remote code execution in Remote Desktop Protocol on every version of Windows, including Windows 10, 2012, 2016 and 2019. CVSS 9.7 score. Exploitation more likely than not. 
      CVE-2019-1222: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1222
      Pre authentication remote code execution in Remote Desktop Protocol on every version of Windows, including Windows 10, 2012, 2016 and 2019. CVSS 9.8 score. Exploitation more likely than not. 
      CVE-2019-1223: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1223
      Unauthenticated denial of service with RDP. All versions.
      CVE-2019-1224:
      https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1224
      Unauthenticated disclosure of memory. 
      CVE-2019-1225: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1225
      authenticated disclosure of memory  
      CVE-2019-1226: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1226
      Pre authentication remote code execution in Remote Desktop Protocol on every version of Windows, including Windows 10, 2012, 2016 and 2019. CVSS 9.8 score. Exploitation more likely than not. 
      Exploits
      There are no known public exploits for these issues. Microsoft have built some private exploits. 
      Severity
      It appears these are a collection of many different and serious vulnerabilities. BlueKeep was one vulnerability in near legacy versions of Windows; these are different vulnerabilities in modern Windows.
      Mitigations
      - Enable NLA and leave it enabled for all external and internal systems. This raises exploitation requirements to needing credentials for some of the issues  
      - Some of these vulnerabilities are not exploitable on Windows 7 and 2008 if you haven’t enabled RDP 8+, aka RemoteFX (rich experiences) and the like.  These are available by default in later versions of Windows. 
      Wormable?
      Microsoft say yes: https://msrc-blog.microsoft.com/2019/08/13/patch-new-wormable-vulnerabilities-in-remote-desktop-services-cve-2019-1181-1182/
      DejaBlue
      Funny name by @Michael Norris  .
×
×
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy

  I accept