On 8th September 2021, Fortinet has come to know that a malicious actor has recently disclosed SSL-VPN access, and this information has come from the FortiGate SLL-VPN device. These types of credentials have been obtained from the system that always stays unpatched against the CVE-2018-13379/ fg-ir-18-384.
Everything has happened with the actor’s scan, they are here for a long and have passwords that are not reset and remain vulnerable.
This is entirely related to the old vulnerability which had happened in May 2019. That time Fortinet got issued with the PSIRT advisory, and it got communicated directly with the customers. For Fortinet, customer security is the first priority, and they have given many corporate blog posts which are in detail and strongly encourage the customer’s effect device.
Those blogs are additional of the bulletin, advisory, direct communication and published on August 2019, July 2020, April 2021, and June 2021.
They also reiterated that the organization was running with the affected version, and those are listed below; even if those are still not yet upgraded with the device, they need to perform the recommended user password, which got reset with the following upgrade. Everything is going on as per the customer support bulletin and other information. Or else they need to do the vulnerable post-upgrade where user credentials got compromised previously.
Whenever the organization was running with the affected version which is already listed in the original advisory at that time they recommend their customer to follow the below steps to make sure that the credential should not be abused.
- It disables the VPNs which follow few remediation steps which has to be taken.
- The user has to upgrade the affected device into the latest version immediately.
- It helps to treat all the credentials which are potentially compromised by doing the organization password reset.
- Users can always implement multi-factor authentication that will allow for abuse mitigation which will compromise the credential for the future.
Users will get a notification where they can explain the reason to reset the password through the HIBP domain. It has potential where the password d has been reuse for the other account. They need to use the credential stuffing attack.