Ddos 
Fortinet has issued a warning regarding the active exploitation of a three-year-old vulnerability that allows attackers to bypass two-factor authentication (2FA) on FortiGate firewalls simply by changing the capitalization of a username.
The vulnerability, tracked as FG-IR-19-283 (or CVE-2020-12812), was originally disclosed and patched in July 2020. However, recent observations indicate that threat actors are successfully leveraging this flaw against organizations with specific, unmitigated configurations.
“Fortinet has observed recent abuse of the July 2020 vulnerability FG-IR-19-283/CVE-2020-12812 in the wild based on specific configurations,” the new analysis warns.
The flaw is a classic logic error born from a discrepancy between how different systems handle text. FortiGate firewalls traditionally treat usernames as case-sensitive (e.g., “User” is different from “user”), while many LDAP directories (like Microsoft Active Directory) treat them as the same.
“This particular authentication behavior is caused by FortiGate treating usernames as case-sensitive by default, when the LDAP Directory does not,” the report explains.
This mismatch creates a loophole. If an organization has a local user configured with 2FA but also has a backup LDAP group policy for authentication, an attacker can bypass the security token entirely.
The exploit is deceptively simple. Imagine a user named jsmith who is protected by a 2FA token.
An attacker attempts to log in via VPN or the admin panel using a case variation, such as JSmith or JSMITH.
The FortiGate checks its local user database. Because it is case-sensitive, it decides that JSmith is not the local user jsmith. Consequently, it does not request the 2FA token.
The firewall then proceeds to check secondary authentication methods, such as general LDAP groups. Since the backend LDAP server is case-insensitive, it recognizes JSmith as a valid user and grants access solely based on the password.
“If the user logs in with ‘Jsmith’, or ‘jSmith’, or ‘JSmith’, or ‘jsmith’ or anything that is NOT an exact case match to ‘jsmith’, the FortiGate will not match the login against the local user,” the report details. “Authentication will be successful regardless of any settings within the local user policy (2FA and disabled accounts)”.
The impact is severe: “This can result in admin or VPN users being authenticated without 2FA”.
Fortinet is urging administrators to ensure their systems are patched to versions 6.0.10, 6.2.4, 6.4.1, or higher.
For organizations unable to upgrade immediately or those wanting to double-check their configuration, there is a manual fix. Admins can force the firewall to ignore case differences, closing the loophole.
“With username-sensitivity set to disabled, FortiGate will treat jsmith, JSmith, JSMITH and all possible combinations as identical and therefore prevent failover to any other misconfigured LDAP group setting,” the report advises.
Administrators should apply the following command to local accounts:
- set username-sensitivity disable (for newer versions)
- set username-case-sensitivity disable (for older versions)
Additionally, the report recommends reviewing authentication policies: “If a secondary LDAP Group is not required, it should be removed” to minimize the attack surface.
Related Posts:
- Fortinet FortiGate Firewalls Targeted in Sophisticated Campaign Exploiting Management Interfaces
- Akamai Unveils New VPN Post-Exploitation Techniques: Major Vulnerabilities Discovered in Ivanti and FortiGate VPNs
- Critical FortiGate SSO Flaw Under Active Exploitation: Attackers Bypass Auth and Exfiltrate Configs
- 15,000 FortiGate Firewalls Exposed: Massive Leak Includes VPN Credentials
Donate