Fortinet confirmed the veracity of the hackers’ claims in a blog post today. The network security vendor said the credentials were stolen from systems that remain unpatched against a two-year-old vulnerability – CVE-2018-13379 – or from users who patched that vulnerability but failed to change passwords.
Fortinet said it’s warned customers several times to update affected devices and reset passwords – and the vulnerability was even recently named one of the most exploited by the FBI and CISA. Some of the compromised IP addresses were posted to Github so users can check to see if their VPNs were affected.
In an advisory, Fortinet said the path traversal vulnerability in the FortiOS SSL VPN web portal may allow an attacker to download FortiOS system files through specially crafted HTTP resource requests.
Affected products include FortiOS 6.0 – 6.0.0 to 6.0.4; FortiOS 5.6 – 5.6.3 to 5.6.7; and FortiOS 5.4 – 5.4.6 to 5.4.12; if the SSL VPN service (web-mode or tunnel-mode) is enabled.
Affected users should disable all VPNs (SSL-VPN or IPSEC) before taking the following remediation steps:
- Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.
- Treat all credentials as potentially compromised and perform an organization-wide password reset.
- Implement multi-factor authentication, “which will help mitigate the abuse of any compromised credentials now and in the future,” Fortinet said.
Fortinet added that users should be informed of the issue in case they have reused passwords in other applications.
Unpatched known vulnerabilities were found to be responsible for 60% of breaches in a 2019 Ponemon-ServiceNow study, yet patching remains one of the simplest – and most neglected – cybersecurity controls.