FortiGate VPN Default Config Allows MitM Attacks

Fortigate vpn man in the middle

The client’s default configuration for SSL-VPN has a certificate issue, researchers said.

Default configurations of Fortinet’s FortiGate VPN appliance could open organizations to man-in-the-middle (MitM) attacks, according to researchers, where threat actors could intercept important data.

According to the SAM IoT Security Lab, the FortiGate SSL-VPN client only verifies that the certificate used for client authentication was issued by Fortinet or another trusted certificate authority.

“Therefore, an attacker can easily present a certificate issued to a different FortiGate router without raising any flags, and implement a man-in-the-middle attack,” researchers wrote, in an analysis on Thursday.

They added, “An attacker can actually use this to inject his own traffic, and essentially communicate with any internal device in the business, including point of sales, sensitive data centers, etc. This is a major security breach, that can lead to severe data exposure.”

A Shodan search turned up more than 230,000 vulnerable FortiGate appliances using the VPN functionality, researchers found. Out of those, a full 88 percent, or more than 200,000 businesses, are using the default configuration and can be easily breached in an MitM attack.

Underneath the Hood

According to SAM, in a typical SSL certificate verification process, the client can connect to a server only after verifying that the certificate’s Server Name field matches the actual name of the server that the client is attempting to connect to; that the certificate validity date has not passed; that the digital signature is correct; and that the certificate was issued by an authority that the client trusts.

In the case of the FortiGate router, it uses a self-signed, default SSL certificate, and it uses the router’s serial number to denote the server for the certificate – it does not, according to SAM, verify that the actual server name parameter matches.

“This leaves Fortinet with enough information to verify the certificate was issued to the same server the client is trying to connect to, if it were to verify the serial number,” according to researchers. “However, Fortinet’s client does not verify the Server Name at all. In fact, any certificate will be accepted, so long as it is valid.”

SAM published a proof-of-concept (PoC) how an attacker could easily re-route the traffic to a malicious server, displaying his or her own certificate, and then decrypt the traffic.

“We decrypt the traffic of the Fortinet SSL-VPN client and extract the user’s password and [one-time password],” researchers explained.

Fixing the Issue

While the issue exists in the default configuration of the FortiGard SSL-VPN client, Fortinet does not consider the issue to be a vulnerability, because users have the ability to manually replace the certificate in order to secure their connections appropriately.

“The security of our customers is our first priority. This is not a vulnerability,” the firm told Threatpost. “Fortinet VPN appliances are designed to work out-of-the-box for customers so that organizations are enabled to set up their appliance customized to their own unique deployment. Each VPN appliance and the set up process provides multiple clear warnings in the GUI with documentation offering guidance on certificate authentication and sample certificate authentication and configuration examples. Fortinet strongly recommends adhering to its provided installation documentation and process, paying close attention to warnings throughout that process to avoid exposing the organization to risk.”

SAM researchers noted that Fortinet’s approach “may be reasonable for the enterprise space,” but “smaller businesses (for example a small law firm) may not have the knowledge or time to configure it.”

They added, “the Fortigate issue is only an example of the current issues with security for the small-medium businesses, especially during the epidemic work-from-home routine. These types of businesses require near-enterprise grade security these days, but do not have the resources and expertise to maintain enterprise security systems.”

Suggested articles

Discussion

  • FortiUser on

    Fortinet documentation states:"If you leave the default setting (Fortinet_CA_SSLProxy), the FortiGate unit offers its built-in certificate from Fortinet to remote clients when they connect. A warning appears that recommends you purchase a certificate for your domain and upload it for use" Hence, a warning ⚠️ was provided to the end user to replace it.
  • Dimitris Ioakimoglou on

    This is like saying that a toaster vendor is responsible for the burnt hands of all customers who didnt know how to use a toaster, didnt read the warnings and still wanted to make toast. Hire a pro.
  • SecurityManager on

    1) Fortinet could solve it in 5min, but they decided to protect their position and not their customers. 2) The highlight here is that the customer is not protected by default! Imagine that Chrome will not verify the SSL certificate by default and you will need to take manual actions in order to protect yourself. In 2020, security should be enabled by default from scratch. If you want to disable the security feature, it should be an advanced option and not the default.
  • pvr1109 on

    Ok
  • Vishweswara on

    Its a bad comparison! Google Chrome attempts to use the root certificate store of the underlying operating system to determine whether an SSL certificate presented by a site is indeed trustworthy https://www.chromium.org/Home/chromium-security/root-ca-policy You mentioned "Imagine that Chrome will not verify the SSL certificate by default" My response is it won't in some cases! Try accessing the websites by removing all the certs on windows trusted root cert authority store. Because you have a CA cert in the trusted root cert store, your web connection is secure. Create your own Server Certificate signed by your own CA which you generated via Open SSL and host it on a webserver. You can then connect to the web server using chrome and see what happens. You will see an error. If the above concept is clear to you, then you will not complain the warning presented by FortiClient SSL VPN when you connect to the SL VPN gateway which is configured to use the Factory/default certificate. SSL VPN gateway configuration on FortiGate is similar to hosting a webpage on a web server.
  • forticlientuser on

    @Vishweswara, in the chrome example, you are saying - let's delete the CA certificates and see what happen in the FortiGate example, you are saying - let's use the default configuration and see what happen. Fortinet, as a security company on their website are publishing: "FortiClient uses SSL and IPSec VPN to provide secure, reliable access to corporate networks and applications from virtually any internet-connected remote location. FortiClient simplifies remote user experience with built-in auto-connect and always-up VPN features. Two-Factor authentication can also be used to provide an additional layer of security." They are selling "simplifies remote user experience", there is no single reference that the customer should create a certificate in order to be protected. ***Security best practices should be by enabled by default! and not an as advanced option.***

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.