Description
Scope
The custom Event Handler and Report provided can be used in FortiAnalyzer 6.2 and FortiAnalyzer 6.4.
See the Solution section for instruction on how to load these into a FortiAnalyzer.
Solution
The security of our customers is our first priority. The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have released a Joint Cybersecurity Advisory (CSA) to warn users and administrators of the likelihood that advanced persistent threat (APT) actors are actively exploiting known Fortinet FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.
The following Common Vulnerabilities and Exposures (CVE) are included in the joint CSA:
o CVE-2018-13379, a path traversal vulnerability (Common Vulnerability Scoring System base score of 9.8);
o CVE-2020-12812, an improper authentication vulnerability (CVSS base score of 9.8); and
o CVE-2019-5591, a default configuration vulnerability (CVSS base score of 7.5).
· CVE-2018-13379/FG-IR-18-384
A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.
Affected Products
FortiOS 6.0 - 6.0.0 to 6.0.4
FortiOS 5.6 - 5.6.3 to 5.6.7
FortiOS 5.4 - 5.4.6 to 5.4.12
(other branches and versions than above are not impacted)
ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled.
Solutions
Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.
More details can be found at https://www.fortiguard.com/psirt/FG-IR-18-384.
· CVE-2019-5591/FG-IR-19-037
A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.
Affected Products
FortiOS 6.2.0 and below.
Solutions
Upgrade to FortiOS 6.2.1 and above.
More details can be found at https://www.fortiguard.com/psirt/FG-IR-19-037
· CVE-2020-12812/ FG-IR-19-283
An improper authentication vulnerability in SSL VPN in FortiOS may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.
This happens when two-factor authentication is enabled in the "user local" setting, and that user authentication type is set to a remote authentication method (eg: ldap).
The issue exists because of inconsistent case sensitive matching among the local and remote authentication.
Affected Products
FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below
Solutions
Upgrade to the following FortiOS version:
6.4.1 or later
6.2.4 or later
6.0.10 or later
More details can be found at https://www.fortiguard.com/psirt/FG-IR-19-283
Fortinet customers are advised to upgrade to the recommended FortiOS versions to mitigate against these vulnerabilities and exploits.
Scope
The custom Event Handler and Report provided can be used in FortiAnalyzer 6.2 and FortiAnalyzer 6.4.
See the Solution section for instruction on how to load these into a FortiAnalyzer.
Solution
This article describes how to use a custom Event Handler and Report in FortiAnalyzer to detect attack attempts to exploit SSL VPN Vulnerabilities in FortiOS.
The Event Handler and Report will:
- Detect and report on IPS events of attempts to exploit CVE-2018-13379
- Report on FortiGate OS versions that are vulnerable to the above vulnerabilities
- NOT detect whether configuration has been applied to fix configuration vulnerabilities.
To apply fixes for configuration vulnerabilities in CVE-2019-5591 and CVE-2020-12812, please visit the FortiGuard link above for recommendations. Additionally, visit the FortiGuard link corresponding to CVE-2018-13379 for info on mitigating the vulnerability.
What is included in Outbreak_Alerts_FortiOS_SSLVPN-Vulnerability.zip?
1. Outbreak_Alerts_SSLVPN-Vulnerability_Detection.json
This event handler helps detect attempts at exploiting CVE-2018-13379, based on FortiGate IPS signature detection.
It includes the following IPS signature:
FortiOS.SSL.VPN.Web.Portal.Pathname.Information.Disclosure
2. Outbreak_Alerts_FOS-Vulnerabilities_Report.dat
A Threat Hunting Report to summarize:
- Affected FortiGates by vulnerabilities detection
- SSL VPN Vulnerability IPS detection
All screen shots provided below for illustration purposes are taken from FortiAnalyzer 6.4.4.
1) Download the Outbreak_Alerts_FortiOS_SSLVPN-Vulnerability.zip file (contains 2 files)
2) Unzip Outbreak_Alerts_FortiOS_SSLVPN-Vulnerability.zip
3) Use Outbreak_Alerts_SSLVPN-Vulnerability_Detection.json to import into Event Handlers
a. Choose an ADOM (if ADOMs are enabled)
b. Choose the FortiSOC module
c. Select Event Handler List
d. Select the Import option under "More"
e. Select Outbreak_Alerts_SSLVPN-Vulnerability_Detection.json
Result: Outbreak_Alerts_SSLVPN-Vulnerability_Detection.json is enabled and will be triggered if the appropriate logs are received after the event handler was imported
4) Use Outbreak_Alerts_FOS-Vulnerabilities_Report.dat to import into Reports
a. Choose a Fabric ADOM (if ADOMs are enabled)
b. Choose the Report module
c. Select the Import option under "More"
d. Select Outbreak_Alerts_FOS-Vulnerabilities_Report.dat
Result: ‘Outbreak_Alerts_FOS-Vulnerabilities_Report' can be run anytime as determined by an admin user.
Related document.
https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-forti...
