Cybercriminals are actively abusing a long-patched Fortinet FortiGate flaw from July 2020, slipping past two-factor authentication (2FA) on firewalls and potentially granting unauthorized access to VPNs and admin consoles.
Fortinet’s PSIRT team detailed the in-the-wild attacks in a recent blog post, urging admins to audit configurations immediately to avoid compromise.
Dubbed FG-IR-19-283 (CVE-2020-12812), the issue stems from a mismatch in how FortiGate devices handle usernames compared with LDAP directories. FortiGate treats usernames as case-sensitive by default, while most LDAP servers, like Active Directory, ignore case.
Attackers exploit this in misconfigured setups where local FortiGate users have 2FA enabled and are also members of LDAP groups mapped to authentication policies.
The attack unfolds simply. Suppose a local user “jsmith” has 2FA enabled and linked to an LDAP group such as “Domain Users.” Logging in with the exact “jsmith” triggers the token prompt.
But hackers enter “Jsmith,” “jSmith,” or any case variation. FortiGate fails to match the local user, then falls back to secondary authentication policies tied to LDAP groups such as “Helpdesk” or “Auth-Group.” Valid LDAP credentials alone suffice, bypassing 2FA entirely.
Fortinet confirmed these prerequisites for exploitation:
- Local FortiGate users with 2FA referencing LDAP.
- Those users in LDAP groups configured on FortiGate and used in firewall policies (e.g., for SSL/IPsec VPN or admin access).
This grants attackers VPN entry or elevated privileges without tokens. Fortinet warns that successful bypasses signal compromise: reset all credentials, including LDAP/AD binding accounts, and scrutinize logs for anomalies like failed local matches followed by LDAP successes.
The vulnerability dates back to 2020, with fixes in FortiOS 6.0.10, 6.2.4, and 6.4.1. Yet, unpatched or misconfigured devices linger in the wild, drawing opportunistic hackers. Fortinet’s analysis shows attackers probing specific setups, likely scanning for outdated firmware.
Mitigations
Admins should prioritize these steps:
- Patch Firmware: Upgrade to FortiOS 6.0.10+, 6.2.4+, or 6.4.1+ to block the failover behavior.
- Disable Case Sensitivity: On unpatched systems, run set username-case-sensitivity disable (FortiOS 6.0.10–6.0.12, etc.) or set username-sensitivity disable (v6.0.13+, v6.2.10+, v6.4.7+, v7.0.1+). This normalizes usernames like “jsmith” and “JSMITH.”
- Trim LDAP Groups: Remove unnecessary secondary groups from policies. Without them, mismatched logins fail outright.
- Audit Logs: Hunt for case-variant attempts in authentication events.
Fortinet emphasizes that the absence of LDAP groups eliminates bypass risk for local-only users. This incident underscores a harsh reality: old vulnerabilities thrive on configuration drift.
With FortiGate firewalls shielding critical networks, enterprises must enforce least-privilege policies and regular audits. A delay could enable ransomware or lateral movement. Act now before hackers crack your defenses.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
