Very High
FortiGate SSL VPN "Breaching the Fort"
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Very High
(1 user assessed)
Very Low
(1 user assessed)Unknown
Unknown
Unknown
FortiGate SSL VPN "Breaching the Fort"
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Security researchers at SAM Seamless Network published a blog post on September 24, 2020 stating that 200,000 businesses were exposed to Man-in-the-Middle (MITM) attacks against FortiGate SSL VPNs due to the VPN client’s failure to properly verify the server’s certificate out of the box. Instead, FortiGate customers must take the extra step of configuring their SSL VPNs with a certificate signed by a trusted CA.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery Low
Technical Analysis
Analysis
The VPN client verifies that certificates are signed by a) Fortinet themselves or b) a “trusted” CA. The Fortinet-signed certificate does not have its server name verified, and an attacker can substitute in another Fortinet-signed certificate for use in a man-in-the-middle (MITM) attack.
The attacker may then be able to retrieve VPN user credentials and tokens from the captured network traffic.
Exploitability
The attacker needs a Fortinet-signed certificate as well as presence on the target’s network to initiate the MITM attack. The certificate can be obtained from another Fortinet device, and the network access can be obtained through a compromised IoT device as the researchers suggested.
All in all, exploitability is lower due to the targeted exploit chain.
Impact
An attacker may obtain VPN access to an organization’s network and its services.
Recommendations
VPN administrators should use only certificates that are signed by a trusted CA.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
References
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
