The Fortigates haven’t been compromised yet, but now each and every vulnerable Fortigate, which could go unnoticed for years, is being probed/watched by tens, then hundreds, then thousands Joe/Jane on the Internet until someone sees a benefit and connects with the stolen VPN credentials for real and pivots into the LAN.Īll this “chain of contagion” could have been prevented should the Fortigate admin had implemented the “masks protection”, of course first of all updates to the FortiOS, but even the measures below would do the trick. Again – zero effort on the attacker part. This list of devices gradually spreads, until someone bored enough to run a wget downloading VPN users caches from those Fortigates finds it amusing to post the dump online. So, naturally he brags about “pwn1ng” lots of Pentagon firewalls on social networks. He runs the automatic scan and gets the list of vulnerable Fortigates with no idea what to do with them. Conveniently for Joe, Nessus has already published the plugin for that (he couldn’t even know that all he needed was curl/wget in a loop), again, zero effort for Joe. He goes to shodan.io, puts “Fortinet” in the search box and voila – 79,171 devices found! Zero effort. It starts with a script kid Joe hearing some vulnerabilities in Fortinet-something firewall/or “whatever they called the device on the Twitter”. Let’s have a look at possible path to such public leaks/dumps. “Security through obscurity” was the label for such measures in the early 2000s, but not anymore, not at all. Would these measures prevent such leaks? Not sure, but believe for many of these 50,000 it would. What I asked myself about that was – is there anything to be done to prevent or lower the damage of such vulnerabilities? The remotely exploitable vulnerabilities after all are that – remote, if you have to provide remote services on your Fortigate (VPN/Port Forwarding, etc), and no one can predict what the next vulnerability is going to be – how can we possible prepare? The short answer we can’t, the long answer – depends.īelow are some ideas of mine to lower the risk/damage or even prevent remote exploitations by built-in Fortigate means.
Not really news anymore, you can learn details elsewhere. Around 50,000 Fortigate VPN accounts from around the globe were leaked to the public Internet last week.
0 kommentar(er)
