Full Report
Fortinet on Wednesday said it observed "recent abuse" of a five-year-old security flaw in FortiOS SSL VPN in the wild under certain configurations. The vulnerability in question is CVE-2020-12812 (CVSS score: 5.2), an improper authentication vulnerability in SSL VPN in FortiOS that could allow a user to log in successfully without being prompted for the second factor of authentication if the
Analysis Summary
# Vulnerability: FortiOS SSL VPN Improper Authentication Bypass (2FA Bypass)
## CVE Details
- CVE ID: CVE-2020-12812
- CVSS Score: 5.2 (Medium)
- CWE: Improper Authentication
## Affected Systems
- Products: FortiOS SSL VPN
- Versions: Not explicitly listed in the summary, but patched versions start with 6.0.10, 6.2.4, and 6.4.1.
- Configurations:
* Two-factor authentication (2FA) is enabled in the 'user local' setting.
* The user authentication type is set to a remote authentication method (e.g., LDAP).
* Local user entries exist that reference the remote LDAP server.
* The targeted users are members of a group on the LDAP server.
* At least one LDAP group those 2FA users belong to is configured on the FortiGate and used in an authentication policy (e.g., administrative users, SSL, or IPSEC VPN).
## Vulnerability Description
This is an improper authentication vulnerability caused by inconsistent case-sensitive matching between FortiGate's local user database and the external LDAP server. If a user attempts to log in with a username that does **not** exactly match the case of the locally configured username (e.g., logging in as 'JSmith' when the local account is 'jsmith'), FortiGate fails to match the local user entry. This failure causes FortiGate to then check subsequent authentication policies, potentially matching the user against a configured remote group policy pointing to the LDAP server. If the provided password is correct, the user authenticates successfully via LDAP, bypassing the 2FA requirement configured for the local user.
## Exploitation
- Status: Exploited in the wild (Observed recent abuse, listed as weaponized in 2021 attacks).
- Complexity: Medium (Requires specific, complex configuration prerequisites to be met).
- Attack Vector: Network
## Impact
- Confidentiality: Potential exposure if an attacker gains unauthorized VPN or administrative access.
- Integrity: Potential unauthorized modification of systems if administrative access is gained.
- Availability: Potential disruption if unauthorized VPN connections consume resources or malicious actions are performed.
## Remediation
### Patches
Fortinet released fixes in July 2020. Organizations should upgrade to versions equal to or greater than:
* FortiOS 6.0.10
* FortiOS 6.2.4
* FortiOS 6.4.1
For customers on newer versions (6.0.13, 6.2.10, 6.4.7, 7.0.1, or later), Fortinet advises running the following command to enforce case sensitivity checks system-wide:
`set username-sensitivity disable`
### Workarounds
1. **Enabling Username Sensitivity (If unable to patch):** Run the command `set username-sensitivity disable` for all local accounts to force case-sensitive matching, preventing the fallback to LDAP group authentication on case mismatch.
2. **Configuration Removal:** Consider removing the secondary LDAP Group used in authentication policies if it is not strictly required, as this eliminates the attack path that relies on authentication falling back to that group.
3. **Credential Reset:** Reset all credentials for administrative and VPN users if any evidence of 2FA bypasses is found.
## Detection
- Indicators of Compromise: Unusual logins to VPN or administrative interfaces where 2FA was not prompted or collected, despite 2FA being configured for the corresponding local user account.
- Detection methods and tools: Reviewing FortiGate logs for authentication attempts that show a failure against the local user but a subsequent success against another configured group/LDAP server, especially when casing appears mismatched in the initial attempt.
## References
- Vendor Advisory (Initial 2020): hxxps://www.fortiguard.com/psirt/FG-IR-19-283
- Vendor Advisory (Recent Update): hxxps://www.fortinet.com/blog/psirt-blogs/product-security-advisory-and-analysis-observed-abuse-of-fg-ir-19-283