You are currently viewing Legacy FortiOS Bug Exploited to Bypass Authentication

Legacy FortiOS Bug Exploited to Bypass Authentication

  • Post author:
  • Reading time:3 mins read

In the realm of cybersecurity, vulnerabilities are a constant concern, and the repercussions of neglecting older flaws can be significant. A recent example of this is the active exploitation of a five-year-old vulnerability in Fortinet’s FortiOS SSL VPN, identified as CVE-2020-12812. This flaw allows attackers to bypass two-factor authentication (2FA) under specific conditions, highlighting the importance of timely patching and robust security configurations.

Root Cause

The root cause of CVE-2020-12812 lies in the inconsistent handling of username case sensitivity between FortiOS and Lightweight Directory Access Protocol (LDAP) configurations. Specifically, FortiOS, by default, treats usernames as case-sensitive, whereas LDAP does not. This discrepancy can be exploited when local 2FA users are also members of LDAP groups used in authentication policies. If a user enters a username with a different case than what is stored locally, FortiGate may fail to match the local 2FA user and instead authenticate directly via LDAP, bypassing the 2FA requirement.

Impact & Exploit Potential

The impact of this vulnerability is significant, as successful exploitation allows unauthorized access to systems that are supposedly protected by 2FA. This can lead to a range of malicious activities, including data breaches, system compromise, and the deployment of ransomware. The CVE-2020-12812 vulnerability has a CVSS score of 9.8, reflecting its critical severity. CISA has also added this CVE to their KEV Catalog.

Tactics, Techniques, and Procedures (TTPs)

Attackers are actively exploiting this vulnerability to gain initial access to target systems. The primary tactic involves bypassing 2FA, which is a common security measure. The specific technique used is:

  • TA0001 – Initial Access: Attackers exploit the vulnerability to gain an initial foothold into the target network.
  • T1078 – Valid Accounts: By exploiting the case-sensitivity issue, attackers can use valid accounts to gain unauthorized access.

Affected Products

The vulnerability affects the following versions of FortiOS:

  • FortiOS 6.4.0
  • FortiOS 6.2.0 to 6.2.3
  • FortiOS 6.0.9 and below

It’s crucial to note that FortiGate Next Generation Firewalls, which utilize purpose-built security processors and threat intelligence security services from FortiGuard labs, are affected.

Mitigation & Recommendations

To mitigate the risk associated with CVE-2020-12812, organizations should take the following steps:

  • Apply Patches: Upgrade to patched versions of FortiOS. Fortinet addressed the vulnerability in FortiOS 6.0.10, 6.2.4, and 6.4.1 in July 2020.
  • Disable Username Sensitivity: For organizations that cannot immediately apply patches, the following commands can be used as a workaround:
    • For FortiOS versions prior to 6.0.13, use: set username-case-sensitivity disable
    • For FortiOS 6.0.13, 6.2.10, 6.4.7, 7.0.1, and newer, use: set username-sensitivity disable

Disabling username sensitivity ensures that FortiGate treats all username case variations as the same, preventing the bypass of 2FA.

Real-World Observations

The exploitation of CVE-2020-12812 has been observed in multiple real-world attacks. The FBI and CISA published a joint alert in April 2021, warning of APT groups exploiting this and other Fortinet vulnerabilities. Additionally, Iran-linked APT groups and the Hive ransomware operators have been observed exploiting this flaw in various attacks. The Iran-linked COBALT MIRAGE APT group was also spotted exploiting CVE-2020-12812.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.