The objective of this alert is to raise awareness about three vulnerabilities actively used by advanced threat actors to compromise systems.
The intent of this alert is to raise system administrator’s awareness about these vulnerabilities, allowing them to act accordingly.
If it is not already done, CERT.be recommends to system administrators to patch their vulnerable systems as soon as possible and analyze your system and network logs for any suspicious activity.
The FBI (Federal Bureau of Investigation) together with CISA (Cybersecurity and Infrastructure Security Agency) have observed APTs (Advanced Persistent Threats) perform scanning operations in March.
The scans occurred on ports 4443, 8443, and 10443 likely looking for devices vulnerable to CVE-2018-13379. They also enumerated devices for CVE-2020-12812 and CVE-2019-5591.
CVE-2018-13379 - An improper limitation of a pathname to a restricted directory (Path Traversal) in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.
CVE-2020-12812 - An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9, and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.
CVE-2019-5591 - A default configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.
Advanced threat actors may use any of these CVEs to gain access to networks in several critical infrastructure sectors in order to gain access to key networks.
It would then be possible for them to carry on exfiltration or data encryption attacks. They may also use other CVEs and/or exploitation techniques to pivot to critical infrastructure and carry on with further attacks.
Affected Vendors and Workarounds
CERT.be recommends system administrators of Fortinet devices to upgrade FortiOS to the latest available version as soon as possible.
It’s also advised to perform a thorough analysis of your network and system logs or other available data for any scanning activity on ports 4443, 8443, and 10443 or any other suspicious activity.
- CVE-2018-13379 - https://www.fortiguard.com/psirt/FG-IR-18-384
- CVE-2020-12812 - https://www.fortiguard.com/psirt/FG-IR-19-283
- CVE-2019-5591 - https://www.fortiguard.com/psirt/FG-IR-19-037
CISA warning - https://www.ic3.gov/Media/News/2021/210402.pdf
CVE-2018-13379 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379
CVE-2020-12812 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12812
CVE-2019-5591 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5591