FBI and CISA Warning
Hackers are actively targeting FortiOS vulnerabilities
On April 2, 2021, the FBI and CISA released a joint advisory warning regarding hacking groups that are actively targeting CVE vulnerabilities in FortiOS. The hackers are said to be scanning devices on ports 4443, 8443 and 10443 for the below vulnerabilities:
CVE-2018-13379: An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.
CVE-2020-12812: An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.
CVE-2019-5591: A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.
"It is likely that the APT actors are scanning for these vulnerabilities to gain access to multiple government, commercial, and technology services networks."
The joint advisory recommends applying patches for these three vulnerabilities immediately and also recommends that organizations should use practical measures for recovery in case they are effected. These measures include, but are not limited to:
Regularly backing up data
Implementing a recovery plan
Use multifactor authentication wherever available
Disabling unused remote access/Remote Desktop Protocol (RDP) ports
Monitor remote access/RDP logs
Fortinet has responded to the advisory, stating, "We continually strive to improve processes, including actively testing our code and fixing issues detected both internally and externally to deliver a more robust solution to our customers.”
You can access the full joint cybersecurity advisory here.