Systems Engineering is aware of the FBI and CISA joint security advisory indicating threat actors are potentially using multiple Common Vulnerabilities and Exposures (CVE) to exploit Fortinet operating systems, known as FortiOS. The advisory calls out three vulnerabilities that may be used to gain access to business networks to begin data exfiltration or data encryption attacks. Vulnerabilities include;
FortiOS SSL VPN’s web portal
May allow an unauthorized attacker to download FortiOS system files.
(Review 09.04.19 Security Alert)
FortiOS SSL VPN FortiToken
May allow authentication bypass of two-factor authentication when changing the case of username. An attacker would need user credentials (username & password) to access the SSL VPN.
FortiOS LDAP Server
May allow an unauthorized attacker on the same IP subnet to intercept sensitive information by impersonating the LDAP server.
Course of Action
We recommend that all Systems Engineering clients patch their FortiOS for these vulnerabilities. SE EventWatch® and SE Essentials managed services clients had the high-risk vulenerability (CVE-2018-13379) patched when the security update became available. Currently, we are proactively working with these services clients to address the two medium risk vulnerabilities (CVE-2020-12812 and CVE-2019-5591.)
If you are a client not covered under one of the previously mentioned services and would like assistance with patching your FortiOS, please reach out to our Customer Service team at 207.772.4199 to schedule a FortiOS security patch ticket.
For all clients, please contact your Account Manager with any questions regarding these FortiOS vulnerabilities.