Moderate
CVE-2020-12812
CVE-2020-12812
Description
An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.
Add Assessment
Technical Analysis
The advisory isn’t worded very well, but it seems that logging in to the SSL VPN with a different-case username than set will allow 2FA to be bypassed, opening up the VPN to password attacks, such as password spraying.
Successful VPN access to an internal network can open up a lot of doors for an attacker, turning an external compromise into an authorized internal one. Many corporate services are hidden behind VPN. That said, proper network segmentation and secondary access controls can mitigate some of the risk. The “attacker value” is “medium” because this is just a 2FA bypass and also because of the listed caveats. It isn’t terribly useful on its own.
The KB article is written much better.
Technical Analysis
CISA and the FBI put out a joint warning that this is one of several FortiOS vulnerabilities APTs are exploiting to gain initial access to government and other services. We know, however, that plenty of non-APT attackers have also targeted Fortinet devices over the past several years. See the page for CVE-2018-13379 as an example. These things are high value and give attackers internal network access—keep ‘em updated on a hair trigger!
CVSS V3 Severity and Metrics
General Information
Vendors
- fortinet
Products
- fortios,
- fortios 6.4.0
Exploited in the Wild
References
Miscellaneous
