exploit Fortinet SSL VPN vulnerability from May 2019 being exploited in wild

[Kevin Beaumont 111]

CVE-2018-13379 is being exploited in the wild on Fortigate SSL VPN firewalls.  These exist as a perimeter security control, so it's a bad vulnerability.

Using BinaryEdge.io I can see scanning activity from last night for first time for this vulnerability:

The scanning traffic is taking place across the whole internet it appears, spray and pray style.

The vulnerability is ridiculously easy to exploit, it's a 1996 style pre-auth ../ webserver exploit to read plain text administrator credentials:

Quote

https://sslmgr/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession

Timeline

May 24th 2019 - Vendor posts advisory - https://fortiguard.com/psirt/FG-IR-18-384

June 4th 2019 - Vendor updates advisory to correct impacted versions

August 9th 2019 - Blog explaining the different vulnerabilities in FortiOS, including this one.

August 14th 2019 - Exploit appears on GitHub and exploitation details posted in TLP Rainbow.

August 17th 2019 - Another exploit, checks if vulnerable before exploit.

August 21nd 2019 - Exploitation seen in wild.

[Nicholas L 7]

Another good resource on this came out the 9th.

https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/

[Kevin Beaumont 111]

12 minutes ago, Nicholas L said:

Another good resource on this came out the 9th.

https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/

This is incredible:

Quote

In the login page, we found a special parameter called magic. Once the parameter meets a hardcoded string, we can modify any user’s password.

This security software is just awful.

[Kevin Beaumont 111]

I mean.. why are the passwords output, regardless of the bug? This does not feel okay, it seems super ‘completely insecure and deliberately backdoored’ to me. 

[Daniel Cuthbert 16]

It does strike me as very odd for a number of reasons. First it shows how little people are actually poking at the very devices meant to protect them (fair play to the vendors here, they do make it hard to do this in some cases) and secondly how this seemingly has remained "undiscovered" for so long.

It's no secret that anything protecting the perimeter has been massaged by those who dislike perimeters and this is straight out of the OWASP Testing Guide 1.0 days in 2003

here's hoping a lot more of us now really start ripping apart security appliances as i'm sure this isn't a unique occurance.

 

 

[Kevin Beaumont 111]

The original attacker IP is a bit noisy 😄 https://www.abuseipdb.com/check/91.121.209.213

Quote

here's hoping a lot more of us now really start ripping apart security appliances as i'm sure this isn't a unique occurance.

You're not wrong.

[Tim Ehrhart 1]

On 8/22/2019 at 4:46 PM, Kevin Beaumont said:

In the login page, we found a special parameter called magic. Once the parameter meets a hardcoded string, we can modify any user’s password.

The "magic" is out (4tinet2095866) and weaponized in a quick tool already:

https://github.com/milo2012/CVE-2018-13382

 

[Daniel Cuthbert 16]

This isn't just a sloppy validation issue. It's not the first time either https://www.theregister.co.uk/2016/01/12/fortinet_bakdoor/

but yeah a simple way to look at this:

If Chinese then backdoor, if western then "An Improper Authorization vulnerability"

[Tiago Henriques 2]

We did a scan on two ports for fortinet interfaces exposed-

 

Port 443 - 98115 exposed interfaces

Port 10443 - 196887 exposed interfaces

 

We will be importing these jobs on app.binaryedge.io later today.

[Tiago Henriques 2]