Description (Taken from original SANS article)
Over the past 60 days, I have observed scanning activity to discover FortiGate SSL VPN unpatched services. Fortinet has fixed several critical vulnerabilities in SSL VPN and web firewall this year from Remote Code Execution (RCE) to SQL Injection, Denial of Service (DoS) which impact the FortiProxy SSL VPN and FortiWeb Web Application Firewall (WAF) products. Two weeks ago, US-CERT released an alert re-iterating that APT actors are looking for Fortinet vulnerabilities to gain access to networks.
Identification
Here is a sample of the GET request
GET /remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession
HTTP/1.1Detection
Idappcom has created a traffic file and matching rule which detects attempts from a remote attacker sending a specially-crafted URL request to download arbitrary files on the system.
Coverage
Idappcom has an existing signature 8018211 along with a traffic file from August 2019 which covers this vulnerability.
References
Traffic IQ
If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional