Cybercriminals are actively abusing a long-patched Fortinet FortiGate flaw from July 2020, slipping previous two-factor authentication (2FA) on firewalls and probably granting unauthorized entry to VPNs and admin consoles.
Fortinet’s PSIRT group detailed the in-the-wild assaults in a latest weblog publish, urging admins to audit configurations instantly to keep away from compromise.
Dubbed FG-IR-19-283 (CVE-2020-12812), the problem stems from a mismatch in how FortiGate units deal with usernames in contrast with LDAP directories. FortiGate treats usernames as case-sensitive by default, whereas most LDAP servers, like Lively Listing, ignore case.
Attackers exploit this in misconfigured setups the place native FortiGate customers have 2FA enabled and are additionally members of LDAP teams mapped to authentication insurance policies.
The assault unfolds merely. Suppose an area consumer “jsmith” has 2FA enabled and linked to an LDAP group akin to “Area Customers.” Logging in with the precise “jsmith” triggers the token immediate.
However hackers enter “Jsmith,” “jSmith,” or any case variation. FortiGate fails to match the native consumer, then falls again to secondary authentication insurance policies tied to LDAP teams akin to “Helpdesk” or “Auth-Group.” Legitimate LDAP credentials alone suffice, bypassing 2FA completely.
Fortinet confirmed these conditions for exploitation:
Native FortiGate customers with 2FA referencing LDAP.
These customers in LDAP teams configured on FortiGate and utilized in firewall insurance policies (e.g., for SSL/IPsec VPN or admin entry).
This grants attackers VPN entry or elevated privileges with out tokens. Fortinet warns that profitable bypasses sign compromise: reset all credentials, together with LDAP/AD binding accounts, and scrutinize logs for anomalies like failed native matches adopted by LDAP successes.
The vulnerability dates again to 2020, with fixes in FortiOS 6.0.10, 6.2.4, and 6.4.1. But, unpatched or misconfigured units linger within the wild, drawing opportunistic hackers. Fortinet’s evaluation reveals attackers probing particular setups, possible scanning for outdated firmware.
Mitigations
Admins ought to prioritize these steps:
Patch Firmware: Improve to FortiOS 6.0.10+, 6.2.4+, or 6.4.1+ to dam the failover habits.
Disable Case Sensitivity: On unpatched techniques, run set username-case-sensitivity disable (FortiOS 6.0.10–6.0.12, and many others.) or set username-sensitivity disable (v6.0.13+, v6.2.10+, v6.4.7+, v7.0.1+). This normalizes usernames like “jsmith” and “JSMITH.”
Trim LDAP Teams: Take away pointless secondary teams from insurance policies. With out them, mismatched logins fail outright.
Audit Logs: Hunt for case-variant makes an attempt in authentication occasions.
Fortinet emphasizes that the absence of LDAP teams eliminates bypass threat for local-only customers. This incident underscores a harsh actuality: outdated vulnerabilities thrive on configuration drift.
With FortiGate firewalls shielding crucial networks, enterprises should implement least-privilege insurance policies and common audits. A delay may allow ransomware or lateral motion. Act now earlier than hackers crack your defenses.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
