CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Vulnerabilities

Fortinet Warns of New Attacks Exploiting Old Vulnerability

Tracked as CVE-2020-12812, the exploited FortiOS flaw allows threat actors to bypass two-factor authentication. The post Fortinet Warns of New Attacks Exploiting Old Vulnerability appeared first on SecurityWeek.

Fortinet patches

Fortinet last week warned that a five-year-old improper authentication flaw in FortiOS is once again in attackers’ crosshairs.

Tracked as CVE-2020-12812, the exploited FortiOS vulnerability exists because, in certain configurations, users can authenticate without being prompted for two-factor authentication (2FA).

The security defect, Fortinet says, is due to differences in the behavior of FortiGate and LDAP Directory when it comes to authentication: while FortiGate treats usernames as case-sensitive by default, LDAP Directory does not.

Attackers can change the case of the username, which results in the impacted appliance not requesting the second factor of authentication (FortiToken).

“This happens when two-factor authentication is enabled in the ‘user local’ setting, and that user authentication type is set to a remote authentication method,” Fortinet said in July 2020.

CVE-2020-12812 is known to have been exploited in attacks, including by ransomware groups and state-sponsored threat actors.

Now, Fortinet says hackers are once again abusing the vulnerability to bypass 2FA, but only against specific configurations. From Fortinet’s fresh advisory:

To trigger this issue, an organization must have the following configuration present:

  • Local user entries on the FortiGate with 2FA, referencing back to LDAP:
  • The same users need to be members of a group on the LDAP server. Example: user jsmith is a member of ‘Domain Users’, ‘Helpdesk’.
  • At least one LDAP group the two-factor users are a member of needs to be configured on FortiGate e.g. ‘Domain Users’, ‘Helpdesk’, and the group needs to be used in an authentication policy which could include for example administrative users, SSL or IPSEC VPN.

If all the prerequisites are met, attackers may change the valid username of an admin or VPN user to anything that is not an exact case match, which results in the 2FA token not being requested.

“If this has occurred, system configuration should be considered as compromised and all credentials reset including those used in LDAP/AD Binding,” Fortinet notes.

Mitigations for the security defect were introduced in FortiOS versions 6.0.10, 6.2.4, 6.4.1. Organizations should update to newer iterations to prevent exploitation.

“With username-sensitivity set to disabled, FortiGate will treat jsmith, JSmith, JSMITH and all possible combinations as identical and therefore prevent failover to any other misconfigured LDAP group setting,” Fortinet notes.

The company also points out that, because the issue can be triggered if a secondary LDAP Group is configured and used when the local LDAP authentication fails, organizations should remove the secondary LDAP Group if it is not required.

Related: In-the-Wild Exploitation of Fresh Fortinet Flaws Begins

Related: Fortinet Patches Critical Authentication Bypass Vulnerabilities

Related: Fortinet Discloses Second Exploited FortiWeb Zero-Day in a Week

Related: Fortinet Confirms Active Exploitation of Critical FortiWeb Vulnerability

Latest News

CYBERNEWSMEDIAPublisher