Posted on September 26, 2020 at 5:35 PM
As the pandemic continues to cause a massive shift to everyone working from home, digital threats have been pouring out of the woodworks in order to exploit weaknesses within remote work infrastructures.
Through capitalizing on the concerns of health from the pandemic, hackers are capable of carrying out renewed malicious attacks.
Using Default Stands As A Massive Risk
SAM Seamless Network, a network security platform provider, claims that more than 200,000 businesses having deployed the Fortigate VPN solution for remote employee connection, are vulnerable to man-in-the-middle (MitM) attacks.
MitM attacks entail having a hacker present a valid SSL certificate, thus being able to fraudulently take over a connection. It should be noted, however, that this only applies to businesses that have kept the default configurations. Anyone outside of it is safe.
Niv Hertz and Lior Tashimov come from the IoT Security Lab of SAM, and explained that they had speedily discovered that the SSL VPN isn’t as protected as it should be in default configurations. Thus, these networks are subsequent easy targets when it comes to a MitM attack.
Default Bypasses Certain Verifications
The pair explained that the Fortigate SSL-VPN client only verifies that the CA was issued by Fortigate, or another trusted CA. What this means, is an attacker can easily present a certificate issued by a different Fortigate router, all the while not raising any alarm. From there, these malicious actors can enact a MitM attack.
In order to prove this, the researchers set up a compromised IoT device. This device is used to trigger a MitM attack shortly after the Fortinet VPN client had initiated a connection. From there, the device steals the credentials before passing it to the server, subsequently spoofing the authentication process.
SSL certificate validation serves as a way for a website or domain to vouch for its authenticity, typically working through verifying an array of details. These details include its digital signature, validity period, whether or not the subject in the certificate matches the server the client is connecting to, and if it was issued by a certificate authority (CA) it could trust
A Simple Matter For Those That Know What To Do
However, the problem of the matter, as the researchers highlighted, is the default settings leveraging self-signed SSL certificates by the company.
Every Fortigate router comes, in turn, with a default SSL certificate that is signed by Fortinet. What this means, is that very certificate can be spoofed by means of a third-party, with the only stipulation being that its valued and issued by either Fortinet itself, or any other trusted CA. This allows the attacker to simply re-route traffic to a server the attacker controls, decrypting the contents and stealing the information.
One of the key reasons for this, is how the bundled default SSL certificate used by the router, makes use of the serial number of it as a server name for the certificate. Fortinet can use the serial number of the router to check if the server name matches, but the client doesn’t verify the server name in the slightest. This, in turn, allows for fraudulent authentication to occur.
The Threats At Hand
Through doing this exploit, the researchers managed to decrypt the traffic of the Fortinet SSL-VPN client, subsequently extracting the OTP and password of the user.
The firm detailed that an attacker would be capable of injecting his own traffic, as well. The attacker would be able to communicate with any of the business’s internal devices, everything from sensitive data centers to point-of-sales systems. The firm warned of how this stands as a significant security breach, which could lead to severe levels of data exposure.
Fortinet Refraining From Changes
Fortinet, in turn, made it clear that it has no plans in order to address this issue, which is never a good thing to say. Instead, it suggested that users should manually replace the default certificate, ensuring the connections are safe from MitM attacks.
Fortinet does provide a warning regarding the use of default certificates, however. In it, the warning stipulates that the built-in default certificate will make users unable to verify the domain name of their respective servers. Thus, the warning recommends that users should purchase a certificate for the domain, uploading it to be used.