Fortinet VPN with default certificate exposes 200,000 businesses to hack

According to the Seamless Network SAM, more than 200,000 companies use the Fortigate VPN with default settings, putting them at risk of being attacked by hackers.

In response to the global spread of the coronavirus, many organizations have implemented VPN solutions, including Fortigate VPN, that allow their employers to work from home.

The configuration of VPN solutions is important to ensure the security of organizations and to avoid unpleasant surprises.

According to the provider of the network security platform SAM Seamless Network, more than 200,000 organizations have implemented a Fortigate VPN with default settings. This choice can allow an attacker to present a valid SSL certificate and carry out a man-in-the-middle (MitM) attack on employee connections.

Surprisingly enough (or perhaps not?) we soon discovered that SSL VPN, when configured by default, is not as secure as it should be, and is quite easily vulnerable to MITM attacks. The Fortigate SSL VPN Client only checks if the CA is issued by Fortigate (or another trusted CA), so an attacker can easily present the issued certificate to another Fortigate router without raising a flag and launch a man-in-the-middle attack. We searched for and found more than 200,000 high-risk companies in minutes.

Experts noted that the Fortigate SSL VPN Client only checks if the specified CA is issued by Fortigate or another trusted CA, allowing an attacker to submit an issued certificate to another Fortigate router to launch a man-in-the-middle attack.

Researchers have installed a compromised IoT device that launches an MITM attack with ARP poisoning, after which Forticlient launches a VPN connection. A compromised IoT device works like a signed Fortinet certificate taken from old references and sends the data to the origin server, steals it in the middle and fals the authentication process.

A digital certificate contains different values:

  • Server name – the name of the server on which this certificate is issued.
  • Public Key – The public key used to encrypt traffic to this server.
  • Digital signature – a digital signature that confirms that the certificate has been issued by a government agency.
  • Validity – The date of validity of this certificate for
  • Information about the issuer – information about the issuer of the certificate (same entity that signed the certificate)

Each time a client connects to a server, it checks the following information:

  • The name of the certificate server is the same as the name of the server the client was trying to connect to.
  • The certificate has not expired
  • The digital signature on the certificate is correct.
  • The certificate has been issued by a centre trusted by the customer.

The biggest problem is that organisations use self-signed SSL certificates as standard.

The Fortigate router comes with a standard SSL certificate, signed by Fortinet. This is a self-signed certificate that contains the router’s serial number as the server name for the certificate.

Experts point out that the Fortinet client does not verify the server name at all, which means that each certificate is accepted by Fortinet or another trusted CA. An attacker can redirect the traffic to his server, show his own certificate and then decrypt the traffic under the PoC attack video.

In this video you can see how we decipher Fortinet SSL VPN Client traffic and extract the user’s password and OTP. In fact, an attacker can use it to feed his own traffic and communicate with virtually any internal business device, including points of sale, private data centers, etc. This is a serious breach of security that can lead to a serious deterioration of the data.

Unfortunately, Fortinet has no plans to address this vulnerability. It recommends that users manually override the standard certificate and ensure that connections are protected against MitM attacks.

Fortinet is currently issuing a warning when users are using the default certificate.

You are using a standard embedded certificate that is not able to verify the domain name of your server (your users will see a warning) It is recommended to buy a certificate for your domain and download it for use.

Pierluigi Paganini

(Security issues – Hacking, Fortigate VPN)




Related Tags:

fortinet vpn vulnerability 2020,cve-2018-13379,fortigate