Summary:
Amidst the global lock-down environment, hackers have come forward to use SSL VPN vulnerabilities and gets lucrative. Hackers have targeted Pulse Secure, Fortinet, Palo Alto Networks, and Citrix VPNs to hack into large companies., throughout the previous year (which already Qualys have protection covered) and again this time they have come up with FortiOS SSL VPN as target. Multiple pre and post auth SSL VPN vulnerabilities have been observed over the wild, in Fortigate SSL VPN devices.
Description:
There are more than 480k SSL VPN servers operating on the internet and is common in Asia and Europe. One can identify it from the URL /remote/login.
Fortigate compiles all the programs and conf files into a single binary, which makes the /bin/init huge. The Web Daemon provide 2 web interfaces running on the Fortigate. One is for the admin interface, handled with /bin/httpsd on the port 443. The other is normal user interface, handled with /bin/sslvpnd on the port 4433 by default. Generally, the admin page should be restricted from the internet, so we can only access the user interface.
A brief of five reported CVEs for FortiOS SSL VPN are:
- CVE-2018-13379 Arbitrary File Read (Pre-Authentication)
- CVE-2018-13380 Cross-Site Scripting (Pre-Authentication)
- CVE-2018-13381 Heap Overflow (Pre-Authentication)
- CVE-2018-13382 Improper Authorization (“Magic Backdoor”)
- CVE-2018-13383 Heap Overflow (Post-Authentication)
CVE-2018-13379: Pre-auth arbitrary file reading*
A pre-authentication arbitrary file read vulnerability CVE-2018-13379, in the way FortiOS attempts to request a language file from the system. A session file ‘sslvpn_websession,’ that contains a username and plaintext password on a vulnerable system becomes readable on exploitation.
There is no protection, but a file extension appended automatically. It seems like one can only read json file. However, we can abuse the feature of By manipulating snprintf one can trick to exceed the buffer size and strip .json file the. Then one can read whatever we want.
snprintf(s, 0x40, “/migadmin/lang/%s.json”, lang);
CVE-2018-13380: Pre-auth XSS
*****************************************************************************
- /remote/error?errmsg=ABABAB–%3E%3Cscript%3Ealert(1)%3C/script%3E
- /remote/loginredir?redir=6a6176617363726970743a616c65727428646f63756d656e742e646f6d61696e29
- /message?title=x&msg=%26%23<svg/onload=alert(1)>;
*****************************************************************************
CVE-2018-13381: Pre-auth heap overflow
First the server calculates the buffer length of encoded string while encoding HTML entities code. Secondly, it encodes into the buffer. In the calculation stage, for example, encode string for < is < and this should occupy 5 bytes. If it encounter anything starts with &#, such as <, it consider there is a token already encoded, and count its length directly. If we input a malicious string like &#<<<;, the < is still encoded into <, so the result should be &#<<<;! This is much longer than the expected length 6 bytes, so it leads to a heap overflow.
CVE-2018-13382: The magic backdoor*
A special parameter called magic was found in the login page. Once the parameter meets a hardcoded string, one can modify any user’s password. However, an attacker would need to know what the “magic” string is in order to reset a password.
CVE-2018-13383: Post-auth heap overflow
This is a vulnerability on the WebVPN feature. While parsing JavaScript in the HTML, it tries to copy content into a buffer with the following code:
memcpy(buffer, js_buf, js_buf_len);
The buffer size is fixed to 0x2000, but the input string is unlimited. Hence, it leads to heap overflow. When an attacker instructs the SSL VPN to proxy to an attacker-controlled web server hosting an exploit file, this vulnerability gets triggered.
Image Source: Meh Chang and Orange Tsai
The PoC can be divided into three parts., viz., Fake SSL structure, ROP chain and Overflow string that can be understood in detail here.
As an update to FortiOS and according to April ’21 CISA update, CISA warn users and administrators of the likelihood that advanced persistent threat (APT) actors are actively exploiting known Fortinet FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.
Affected Products:
FortiOS 6.0.0 to 6.0.4
FortiOS 5.6.0 to 5.6.7
FortiOS 5.4 and below
Advisory:
https://fortiguard.com/psirt/FG-IR-18-383
https://fortiguard.com/psirt/FG-IR-18-384
https://fortiguard.com/psirt/FG-IR-18-387
https://fortiguard.com/psirt/FG-IR-18-388
https://fortiguard.com/psirt/FG-IR-18-389
https://www.fortiguard.com/psirt/FG-IR-19-037
Mitigation:
NOTE:* Vulnerable only when SSL VPN service is enabled.
Fortinet has provided workarounds, which can be found in the advisory pages listed in the table above. Please note that some of the workarounds include disabling the SSL-VPN service entirely.
Fortigate has updated the patches and released for CVE-2018-13379,CVE-2018-13380,CVE-2018-13381,CVE-2018-13382,CVE-2018-13383, CVE-2020-12812, and CVE-2019-5591.
Qualys customers can scan their network with QID(s)# 43703,13544, 43825, and 43769 to detect vulnerable assets. Kindly continue to follow on Qualys Threat Protection for more coverage on vulnerabilities.
Workaround Detection
Qualys Policy Compliance customers can evaluate workaround for issues of CVE-2018-13379, CVE-2018-13380, CVE-2018-13381, CVE-2018-13382 and CVE-2018-13383 by following Control
20010 Status of the source interface setting for SSL-VPN
As Pass condition, please make sure there’s no “source-interface” related settings set.
In addition, to issue of CVE-2019-5591, customer can use control
21078 Status of Secure Connection, Protocol, Certificate, and server-identity-check setting for all LDAP Servers
As Pass condition, please make sure checks for LDAP server identity is enabled. Here is a sample Regex you can refer to define the control evaluation:
.+\|:\|.+\:\|set\s+secure\s+ldaps\|:\|.+\|:\|set\s+server-identity-check\s+enable
References & Sources:
- http://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html
- https://twitter.com/codewhitesec/status/1145967317672714240
- https://www.exploit-db.com/exploits/47287
- https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/
- https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios
