Fortinet Targeted for Unpatched SSL VPN Discovery Activity


Description (Taken from original SANS article)

Over the past 60 days, I have observed scanning activity to discover FortiGate SSL VPN unpatched services. Fortinet has fixed several critical vulnerabilities in SSL VPN and web firewall this year from Remote Code Execution (RCE) to SQL Injection, Denial of Service (DoS) which impact the FortiProxy SSL VPN and FortiWeb Web Application Firewall (WAF) products. Two weeks ago, US-CERT released an alert re-iterating that APT actors are looking for Fortinet vulnerabilities to gain access to networks.


Identification

Here is a sample of the GET request

GET /remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession
HTTP/1.1

Detection

Idappcom has created a traffic file and matching rule which detects attempts from a remote attacker sending a specially-crafted URL request to download arbitrary files on the system.


Coverage

Idappcom has an existing signature 8018211 along with a traffic file from August 2019 which covers this vulnerability.


References

Fortinet Targeted for Unpatched SSL VPN Discovery Activity

CVE-2018-13379


Traffic IQ

If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can share your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional