Fortinet has recently published an advisory about a vulnerability in their FortiOS SSL VPN. This improper authentication flaw, tracked under CVE-2020-12812, is interesting because it is trivial to exploit. This vulnerability provides a way for all users to obtain elevated access. They are able to defeat the second factor of authentication through the simple expediency of changing the case of their username. The CVSS score for this vulnerability is currently 5.2, signifying a medium-level risk.
The company saw “active abuse” of CVE-2020-12812 in certain configurations, so urgent action on the part of users is critical. Fortinet CVE-2020-12812 was disclosed by the vendor in July 2020. They highlighted the fact that agencies need to be ever-vigilant and proactive in order to safeguard their systems from attacks.
Understanding the Vulnerability
CVE-2020-12812 is caused by case-sensitive matching of username between FortiGate devices and LDAP directories. Although FortiGate considered usernames to be case-sensitive, LDAP does not care about that. Cyber actors are able to game the system as a result of this imbalance. This occurs when two-factor authentication (2FA) is on, but username-case-sensitivity is off.
Fortinet explained the mechanics behind the vulnerability: “This happens when two-factor authentication is enabled in the ‘user local’ setting, and that user authentication type is set to a remote authentication method (e.g., LDAP).” If a user attempts to log in with a username that may not match the exact case of the local FortiGate user entry, FortiGate will fail to authenticate them. This results in silent authentication failure.
“The issue exists because of inconsistent case-sensitive matching among the local and remote authentication.” – Fortinet
Recommendations for Users
To mitigate the risks associated with CVE-2020-12812, organizations running FortiOS versions 6.0.13, 6.2.10, 6.4.7, 7.0.1, or later are advised to implement a specific command: “set username-sensitivity disable.” This change should make it more difficult for users to circumvent the purpose of the 2FA feature.
For those who have not yet deployed the patched versions released by Fortinet—namely 6.0.10, 6.2.4, and 6.4.1—there are additional measures available to secure their systems. Organizations with an additional risk of local accounts can use one command to prevent the authentication bypass problem for all local accounts.
“With username-sensitivity set to disabled, FortiGate will treat jsmith, JSmith, JSMITH, and all possible combinations as identical and therefore prevent failover to any other misconfigured LDAP group setting.” – Fortinet
Ongoing Threats and Government Advisory
The repeated and continued exploitation of CVE-2020-12812 has caused great alarm among experts and government agencies, such as the Cybersecurity and Infrastructure Security Agency (CISA). Fortunately, the U.S. government has recognized this vulnerability to be a critical weakness. It was weaponized in attacks more specifically aimed at perimeter-type devices during all of 2021.
Fortinet’s threat analysis shows that various threat actors are currently exploiting this vulnerability in the wild. There remains a strong expectation that organizations will be proactive and responsible for their configurations, keeping them current with the latest best practice to protect against these threats.
“If the user logs in with ‘Jsmith’, or ‘jSmith’, or ‘JSmith’, or ‘jsmiTh’ or anything that is NOT an exact case match to ‘jsmith,’ the FortiGate will not match the login against the local user.” – Fortinet