PSIRTFortiOS SSL VPN 2FA bypass by changing username case
Summary
An improper authentication vulnerability in SSL VPN in FortiOS may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.
This happens when two-factor authentication is enabled in the "user local" setting, and that user authentication type is set to a remote authentication method (eg: ldap).
The issue exists because of inconsistent case sensitive matching among the local and remote authentication.
A new CLI attribute called "username-case-sensitivity" was added in "user local" CLI settings, and is now available when remote and two-factor authentication are both enabled:
config user local
edit [name]
set type ldap /* ldap as remote authentication */
set two-factor fortitoken /* fortitoken as 2FA auth method */
set username-case-sensitivity enable*|disable /* newly added, set to 'enable' by default */
next
username-case-sensitivity is enabled by default; this is consistent with the default behavior on previous versions (local and remote username case must match). To avoid the second factor of authentication bypass issue, administrators must manually disable username-case-sensitivity.