The hacker leaked sensitive details citing Fortinet SSL VPNs vulnerability on a prominent hacker forum.
A hacker using the alias “pumpedkicks” published a large list of one-line exploits of around 50,000 Fortinet FortiGate IPs containing a path traversal vulnerability classified as CVE-2018-13379.
The malefactor is offering a 6.7-gigabyte uncompressed database on popular hacking forums. The person, who is using the name arendee2018, also claims the database contains links and all web sessions files from the Fortinet devices.
This vulnerability mainly affected Fortinet’s unpatched FortiOS SSL VPN devices. Hackers could use the exploits to steal VPN credentials from the internet-reachable VPNs. The hackers also then claimed in a tweet that they possessed the clear text credentials associated with these IP addresses.
Hacker is posting credentials all over social media
Hackread reports that hackers have also posted the list on social media and the internet and contains domains owned by high-street banks and government organizations from different parts of the world.
To exploit the path traversal vulnerability, attackers need to remotely download the FortiOS system files, which won’t ask for authentication if the SSL (secure sockets layer) VPN service is activated.
This way, says HackRead, attackers can access the sslvpn_websession files easily to obtain login credentials of users who are logged in SSL VPNs.
All Fortinet customers should immediately upgrade all FortiGate systems to the latest firmware releases. They should also validate that all SSL-VPN local users are expected and have the correct email addresses assigned. They should then perform a password reset on all users.
HackRead explains that the threat is exacerbated by user complacency. “Fortinet issued patches for the FortiOS operating system in May 2019,” they say. “Regardless though, the vulnerability has been exploited again and again thanks to users not upgrading their systems. This therefore naturally places the burden of responsibility on users.”