Attacker Value
Very High
(1 user assessed)
Exploitability
Very Low
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
3

FortiGate SSL VPN "Breaching the Fort"

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Security researchers at SAM Seamless Network published a blog post on September 24, 2020 stating that 200,000 businesses were exposed to Man-in-the-Middle (MITM) attacks against FortiGate SSL VPNs due to the VPN client’s failure to properly verify the server’s certificate out of the box. Instead, FortiGate customers must take the extra step of configuring their SSL VPNs with a certificate signed by a trusted CA.

Add Assessment

4
Ratings
Technical Analysis

Analysis

The VPN client verifies that certificates are signed by a) Fortinet themselves or b) a “trusted” CA. The Fortinet-signed certificate does not have its server name verified, and an attacker can substitute in another Fortinet-signed certificate for use in a man-in-the-middle (MITM) attack.

The attacker may then be able to retrieve VPN user credentials and tokens from the captured network traffic.

Exploitability

The attacker needs a Fortinet-signed certificate as well as presence on the target’s network to initiate the MITM attack. The certificate can be obtained from another Fortinet device, and the network access can be obtained through a compromised IoT device as the researchers suggested.

All in all, exploitability is lower due to the targeted exploit chain.

Impact

An attacker may obtain VPN access to an organization’s network and its services.

Recommendations

VPN administrators should use only certificates that are signed by a trusted CA.

General Information

References

Additional Info

Technical Analysis