Major VPN security bug still plagues several Government and bank websites

VPN
(Image credit: Shutterstock.com)

In what’s equally sad and shocking, a hacker has posted an exploit that can be used to steal VPN credentials using a 2018 vulnerability that was publicly disclosed over a year ago.

It is reported that a series of one-line exploits can reveal authentication information from about 50,000 compromisable targets.

According to anonymous threat intelligence analyst Bank_Security, the list includes several banks, many .gov domains from around the world as well as thousands of companies.

Failed by red-tape

The flaw labelled CVE-2018-13379 is a path traversal vulnerability in the web portal of FortinetOS’ SSL VPN devices.

Using a reportedly trivial exploit that involves crafting special HTTP requests, unauthenticated attackers can download the sslvpn_websession files from Fortinet VPNs that contain login credentials.

The simple mitigation for the vulnerability is to either disable the SSL-VPN service on the FortinetOS devices running the affected version, or to upgrade to a new release. Both solutions it seems are too much of an ask for the 49,577 targets that reportedly includes over four dozen banking, finance, and governmental organizations of repute.

“Unfortunately, companies have a very slow patching process or an uncontrolled perimeter of exposure on the internet, and for this reason, attackers are able to exploit these flaws to compromise companies in all sectors with relative simplicity,” shared the anonymous Bank_Security analyst adding that attackers had been exploiting this vulnerability for a long time.

In fact, the same flaw was reportedly exploited by attackers to break into US government elections support systems last month.

Via: BleepingComputer

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.