Fortinet has warned customers that hackers are still actively exploiting a serious security flaw in FortiOS that allows them to bypass two-factor authentication on vulnerable FortiGate firewalls.
The vulnerability, tracked as CVE 2020 12812, affects FortiGate SSL VPN. It allows attackers to log in without the second authentication step by simply changing the letter case of a username. This means using uppercase or lowercase variations of the same username to avoid the FortiToken prompt.
Fortinet first fixed the issue in July 2020. At that time, the company explained that the problem occurs when two-factor authentication is enabled for local users, but authentication is handled through a remote service such as LDAP. The issue happens because local and remote authentication systems do not handle username case sensitivity in the same way.
To address the flaw, Fortinet released patched versions of FortiOS, including 6.4.1, 6.2.4, and 6.0.10. For organizations that could not apply updates immediately, Fortinet advised disabling username case sensitivity as a temporary workaround.
Despite the fix being available for years, Fortinet has now confirmed that attackers are still exploiting this vulnerability in real-world attacks. These attacks mainly target FortiGate devices where LDAP authentication is enabled, and specific configurations are in place.
According to Fortinet, systems are vulnerable only if they have local users who require two-factor authentication and are linked to LDAP. These users must also belong to an LDAP group that is configured on the FortiGate device. In many cases, the risk is increased by a misconfigured secondary LDAP group that is used when the primary LDAP authentication fails.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Fortinet advised administrators to remove any unnecessary secondary LDAP groups. If no LDAP groups are required, LDAP-based authentication should be disabled entirely. In such cases, login attempts will fail if the username does not exactly match a local user entry.
