FBI-CISA Joint Advisory on Exploitation of Fortinet FortiOS Vulnerabilities
ORIGINAL RELEASE DATE: APRIL 02, 2021
The Federal Bureau of Investigation (FBI) and CISA have released a Joint Cybersecurity Advisory (CSA) to warn users and administrators of the likelihood that advanced persistent threat (APT) actors are actively exploiting known Fortinet FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591. APT actors may use these vulnerabilities or other common exploitation techniques to gain initial access to multiple government, commercial, and technology services. Gaining initial access pre-positions the APT actors to conduct future attacks.
Root Cause
AGILITY NETWORK SERVICES INC. HAS PROVIDED A VERY GENERAL DESCRIPTION OF EACH FROM THE CVE SITE (A THIRD PARTY SPONSORED BY THE DEPARTMENT OF HOMELAND SECURITY):
CVE-2018-13379 Has a description of: An Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.
CVE-2020-12812 Has a description of: An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.
CVE-2019-5591 Has a description of: A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.
About CVE: The mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog. The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program. Partners publish CVE Records to communicate consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities.
CISA encourages users and administrators to review Joint CSA AA21-092A: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks and implement the recommended mitigations.
- Quota changes to large number of users
since only a single group was the target of the change, - Lowering quota below usage,
since the reported usage was inaccurately being reported as zero, - Excessive quota reduction to storage systems,
since no alert fired during the grace period, - Low quota, since the difference between usage and quota exceeded the protection limit.As a result,
the quota for the account database was reduced,
which prevented the Paxos leader from writing. Shortly after,
the majority of read operations became outdated which resulted in errors on authentication lookups.
REMEDIATION & PREVENTION
The scope of the problem was immediately clear as the new quotas took effect. This was detected by automated alerts for capacity at 2020-12-14 03:43 US/Pacific, and for errors with the User ID Service starting at 03:46, which paged Google Engineers at 03:48 within one minute of customer impact. At 04:08 the root cause and a potential fix were identified, which led to disabling the quota enforcement in one datacenter at 04:22. This quickly improved the situation, and at 04:27 the same mitigation was applied to all datacenters, which returned error rates to normal levels by 04:33. As outlined below, some user services took longer to fully recover.In addition to fixing the underlying cause, we will be implementing changes to prevent, reduce the impact of, and better communicate about this type of failure in several ways:1. Review our quota management automation to prevent fast implementation of global changes2. Improve monitoring and alerting to catch incorrect configurations sooner3. Improve reliability of tools and procedures for posting external communications during outages that affect internal tools4. Evaluate and implement improved write failure resilience into our User ID service database5. Improve resilience of GCP Services to more strictly limit the impact to the data plane during User ID Service failuresWe would like to apologize for the scope of impact that this incident had on our customers and their businesses. We take any incident that affects the availability and reliability of our customers extremely seriously, particularly incidents which span multiple regions. We are conducting a thorough investigation of the incident and will be making the changes which result from that investigation our top priority in Google Engineering.
