Fortinet reported active exploitation of a five-year-old FortiOS SSL VPN flaw, abused in the wild under specific configurations.
Fortinet researchers observed “recent abuse” of a five-year-old security vulnerability, tracked as CVE-2020-12812 (CVSS score: 5.2), in FortiOS SSL VPN. The vulnerability is exploited in attacks in the wild under certain configurations.
CVE-2020-12812 is an improper authentication flaw in FortiOS SSL VPN that may allow users to bypass two-factor authentication by changing the case of the username, enabling successful login without being prompted for the second authentication factor.
“An improper authentication vulnerability in SSL VPN in FortiOS may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.” reads the advisory published by the vendor.
“This happens when two-factor authentication is enabled in the “user local” setting, and that user authentication type is set to a remote authentication method (eg: ldap). The issue exists because of inconsistent case sensitive matching among the local and remote authentication.”
In certain setups, FortiGate may let LDAP users bypass 2FA due to case-sensitive username handling, while LDAP is case-insensitive. If a user enters a differently cased username, FortiGate may skip the local 2FA user and authenticate directly via LDAP group policies. This can allow admin or VPN access without 2FA, potentially compromising systems and requiring full credential resets.
The issue occurs when FortiGate has local 2FA users linked to LDAP, the same users belong to LDAP groups used in authentication policies, and username case differs at login. A case mismatch prevents matching the local 2FA user, causing FortiGate to fall back to LDAP authentication and potentially bypass 2FA.
“This particular authentication behavior is caused by FortiGate treating usernames as case-sensitive by default, when the LDAP Directory does not.” states Fortinet.
“To trigger this issue, an organization must have the following configuration present:
- Local user entries on the FortiGate with 2FA, referencing back to LDAP
- The same users need to be members of a group on the LDAP server
- At least one LDAP group the two-factor users are a member of needs to be configured on FortiGate, and the group needs to be used in an authentication policy which could include for example administrative users, SSL, or IPSEC VPN”
Fortinet addressed the vulnerability in FortiOS 6.0.10, 6.2.4, and 6.4.1 in July 2020.
Organizations that are not yet running the affected FortiOS releases can mitigate the authentication bypass by executing the following command for all local users:
set username-case-sensitivity disable
Customers using FortiOS 6.0.13, 6.2.10, 6.4.7, 7.0.1, or newer should instead apply this setting:
set username-sensitivity disable
Disabling username sensitivity makes FortiGate treat all username case variations as the same, preventing fallback to misconfigured LDAP groups.
In April 2021, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published a joint alert to warn of attacks carried out by APT groups targeting Fortinet FortiOS servers using multiple exploits, including CVE-2020-12812.
In July 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) published a Joint Cybersecurity Advisory that provides details on the top 30 vulnerabilities exploited by threat actors in 2020, including CVE-2020-12812.
In March 2021, Iran-linked APT groups leveraged Fortinet FortiOS vulnerabilities such as CVE-2018-13379, CVE-2019-5591, and CVE-2020-12812 to gain access to target networks.
In May 2022, researchers at Secureworks Counter Threat Unit (CTU) investigated a series of attacks conducted by the Iran-linked COBALT MIRAGE APT group. The threat actors have been active since at least June 2020 and are linked to the Iranian COBALT ILLUSION group (aka APT35, Charming Kitten, PHOSPHOROUS and TunnelVision).
The researchers identified two distinct clusters of intrusions (labeled as Cluster A and Cluster B) associated with COBALT MIRAGE who was spotted exploiting CVE-2020-12812.
The Hive ransomware operators were also observed exploiting the same flaw in 2022 attacks.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Fortinet)