FBI, CISA warn Fortinet FortiOS vulnerabilities are being actively exploited

APT groups are suspected of harnessing three bugs, two critical, for data exfiltration purposes.
Written by Charlie Osborne, Contributing Writer

US agencies have warned that advanced persistent threat (APT) groups are exploiting Fortinet FortiOS vulnerabilities to compromise systems belonging to government and commercial entities.

Last week, the FBI and US Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert (.PDF) warning that cyberattackers are actively scanning for systems that have not had patches applied to resolve three severe vulnerabilities. 

Fortinet FortiOS, an operating system underpinning Fortinet Security Fabric, is a solution designed to improve enterprise security, covering endpoints, cloud deployments, and centralized networks. 

The agencies say that CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 are being exploited. Each of these vulnerabilities is known and patches have been issued by the vendor, but unless IT administrators apply the fixes, Fortinet FortiOS builds remain open to compromise. 

CVE-2018-13379: Issued a CVSS severity score of 9.8, this path traversal vulnerability impacts the FortiOS SSL VPN portal and can permit unauthenticated attackers to download system files through malicious HTTP requests. FortiOS versions 5.4 - 5.4.6 to 5.4.12, 5.6 - 5.6.3 to 5.6.7, and 6.0 - 6.0.0 to 6.0.4 are affected. 

CVE-2020-12812: This improper authentication issue, also found in FortiOS SSL VPN, has earned a CVSS score of 9.8 as it permits users to be able to log in without being prompted for second-factor authentication if they change the case of their username. FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below contain this bug. 

CVE-2019-5591: With a CVSS score of 7.5, this vulnerability is a default configuration problem in FortiOS 6.2.0 and below that can allow unauthenticated attackers -- on the same subnet -- to intercept sensitive data by impersonating a LDAP server. 

According to the advisory, APTs are scanning with a particular focus on open, vulnerable systems belonging to government, technology, and commercial services. 

"The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks," the agencies say. "APT actors may use other CVEs or common exploitation techniques -- such as spear phishing -- to gain access to critical infrastructure networks to pre-position for follow-on attacks."

CVE-2018-13379 was resolved in May 2019, followed by CVE-2019-5591 in July of the same year. A patch was issued for CVE-2020-12812 in July 2020. 

"The security of our customers is our first priority," Fortinet said in a statement. "[...] If customers have not done so, we urge them to immediately implement the upgrade and mitigations."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards