According to a report published by Fortinet, an active exploit of a long-term vulnerability (CVE-2020-12812) in FortiOS has been discovered. The vulnerability first reported by Fortinet in 2020, allows attackers to bypass two-factor authentication (2FA) if the user is using Local User Configuration backed by LDAP (Lightweight Directory Access Protocol).
The source of the vulnerability is the case-sensitivity mismatch between FortiGate and LDAP servers. As an example, suppose a user’s Account Name is capitalized differently (even only a single letter) on the FortiGate compared to what it is stored as in the LDAP server; the FortiGate will not authenticate against the Local User, and thus will use the LDAP instead. If the user’s LDAP login information is correct, access will be granted without ever having to pass through 2FA or any other local restrictions.
To exploit the vulnerabilities above, the conditions that must exist:
1. There must be at least one Local User Account on FortiGate that has 2FA configured, and that references the LDAP for authentication.
2. There must be at least one local user (authenticated) to an LDAP group that is also part of the FortiGate Policy.
3. The LDAP group must be used in an authentication policy (administrative, SSL VPN, or IPsec VPN) configured on the FortiGate.
If all of the above conditions exist, the FortiGate will accept credentials from LDAP regardless of the 2FA being configured for the local user account. Any time a username varies by letter case (e.g. Jsmith, jSmith, JSmith), this will trigger FortiGate to failover to the LDAP for authentication.
Mitigation Steps
Fortinet released patched versions in July 2020 (FortiOS 6.0.10, 6.2.4, 6.4.1). For organizations unable to upgrade, the following commands can prevent the bypass:
1. For older versions:
set username-case-sensitivity disable
2. For newer versions (6.0.13, 6.2.10, 6.4.7, 7.0.1, or later):
set username-sensitivity disable
Disabling username sensitivity ensures that all case variations of a username are treated equally, preventing fallback to LDAP groups.
The use of case insensitivity for usernames enables the same username in multiple cases to be treated the same and prevents users from falling back onto LDAP groups when they do not exist. Eliminating any secondary LDAP groups that are not required is another means for mitigating this attack vector; organizations may wish to investigate potential compromise and reset credentials for any administrator or VPN accounts showing signs of unusual authentication.
Fortinet has not disclosed whether actual exploitations using this vulnerability occur in the wild, but the advisory strongly emphasizes immediate attention to correct configuration errors and the application of patches.
Source: The Hacker News
