Beware of Unpatched Fortinet VPN Devices

Do You Have an Unpatched Fortinet VPN?

The UK’s National Cyber Security Centre (NCSC) has issued an advisory about the dangers of unpatched Fortinet VPNs. The agency found that many British organizations have neglected to patch the Fortinet VPN vulnerability CVE-2018-13379 released almost two years ago. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued similar alerts about the danger to U.S. networks.

Advanced Persistent Threat groups (APTs) and cyber criminals are very aware of this gaping security hole. And they are actively exploiting it. To make matters worse, a second incident related to Fortinet security occurred late in 2020. Credentials were stolen for tens of thousands of Fortinet VPNs as well as a great many related session IPs.

This is regarded as such a severe risk that the NCSC advises anyone using this VPN without the patch “to assume they are now compromised and to begin incident management procedures.”

The advisory listed a series of mitigation measures. To summarize, IT is advised to remove these VPN devices from service, return them to their factory default settings, reconfigure them, install all patches and only then return them to service. An upgrade to the latest FortiOS version is also recommended. Further action indicated is to scan all hosts and networks that are in any way connected to the VPN to look carefully for any signs of malicious activity.

Ransomware Implications

The bad guys are using the exploit for a variety of nefarious purposes. Chief among them is ransomware. One facility in Europe, for example, had its industrial control servers compromised with a new ransomware variant known as Cring.

The unpatched VPNs allow attackers to remotely burrow into the system, gain access to usernames and passwords, and manually login to the network. A domino effect then plays out. Once inside, hackers use malware to obtain more authentication credentials to gain control of larger segments of the network and encrypt even more files. Users are locked out and ransom notices appear.

The harsh reality is that all of this could have been avoided. Such events are preventable if patching best practices are rigorously followed. It would seem to be an obvious aspect of security that critical updates and patches are implemented rapidly – yet cases like the Fortinet VPN exploit are not uncommon.

So why would so many organizations fail to patch a VPN with an update that has been available since May of 2019? The answer lies in poor patch management tool selection and lack of automation.

How Syxsense Secure Can Help

Syxsense Secure provides automated patch management, vulnerability scanning, and IT management. It detects outdated patches and threats in real time and can be used to implement updates before bad actors can take advantage of exploits.

Syxsense Secure includes advanced features such as patch supersedence, patch roll back, and a wealth of automation and configuration features.In addition, it provides a three-hour turnaround for the testing and delivery of new patches as well as technology to send software and patches across the wire once, using peer-to-peer within the network for local distribution. For more information, visit www.Syxsense.com

Syxscore Risk Alert

CVE-2020-12812

• CVSS Score: 9.8 Critical
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• Scope (Jump Point): No

Start Your Free Trial of Syxsense

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.