FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests
A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.
Fortinet is aware that a malicious actor has disclosed SSL-VPN access information to 87,000 FortiGate SSL-VPN devices. These credentials were obtained from systems which were unpatched against FG-IR-18-384 / CVE-2018-13379 at the time of the actors scan, but may since have been patched but the passwords not reset.
Please note that a password reset following upgrade is critical to protecting against this vulnerability, in case credentials have already been compromised.
FortiOS 6.0 - 6.0.0 to 6.0.4
FortiOS 5.6 - 5.6.3 to 5.6.7
FortiOS 5.4 - 5.4.6 to 5.4.12
(other branches and versions than above are not impacted)
ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled.
- Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.
- Treat all credentials as potentially compromised and perform an organization-wide password reset.
- Fortinet recommend the implementation of multi-factor authentication, which will help mitigate the abuse of any compromised credentials now and in the future.
As a temporary solution, the only workaround is to totally disable the SSL-VPN service (both web-mode and tunnel-mode) by applying the following CLI commands:
purge (purge all authentication-rules)
config firewall policy
delete [policy-id] (SSL VPN policy ID(s) that srcintf is "ssl.root" and dstintf is "port1")
2019-06-04 Clarified the impacted versions and workarounds.
2019-08-30 FortiOS 5.4 branch (starts from 5.4.6) also affected and fix scheduled.
2019-08-30 two-factor authentication mitigation added for the disclosed exploit.
2019-08-30 Add public disclosure reference link.
2019-11-26 New fix on 5.4.13 released.
2021-09-08 Updated to reflect threat actor publication of compromised credentials
Fortinet is pleased to thank Meh Chang and Orange Tsai from DEVCORE Security Research Team for reporting this vulnerability under responsible disclosure.