A important authentication bypass vulnerability in FortiGate gadgets permits risk actors to bypass two-factor authentication (2FA) protections via case-sensitive username manipulation.
The flaw, tracked as CVE-2020-12812, impacts organizations with particular LDAP integration configurations and stays exploitable on unpatched programs.
The vulnerability stems from FortiGate’s default case-sensitive username dealing with conflicting with LDAP directories that deal with usernames as case-insensitive.
When attackers modify the capitalization of respectable usernames throughout login makes an attempt, the firewall fails to match the entry towards native 2FA-enabled accounts, triggering a fallback to less-secure LDAP group authentication.
Technical Evaluation
Profitable exploitation requires three configuration parts: native FortiGate person entries with 2FA enabled that reference LDAP accounts, LDAP group membership for these customers, and firewall insurance policies using LDAP teams for authentication.
An attacker logging in as “Jsmith” as an alternative of “jsmith” bypasses the native person coverage completely, forcing FortiGate to guage secondary authentication guidelines.
The system then authenticates towards the LDAP server straight utilizing solely username and password, utterly ignoring 2FA necessities and even disabled account statuses.
| CVE Identifier | FG-IR Reference | CVSS Rating | Assault Vector | Patch Availability |
|---|---|---|---|---|
| CVE-2020-12812 | FG-IR-19-283 | 9.1 (Crucial) | Community-based | FortiOS 6.0.10, 6.2.4, 6.4.1+ |
This vulnerability poses extreme dangers for administrative entry and VPN safety. Profitable bypass grants attackers unauthorized entry to administration interfaces or company networks with out possessing 2FA tokens.
Organizations experiencing exploitation should deal with their configurations as compromised and reset all credentials, together with LDAP/AD binding accounts.
The assault leaves minimal forensic proof since failed native authentication makes an attempt could not set off safety alerts.
Fortinet addressed the vulnerability in July 2020 via configuration enhancements. Directors should implement the set username-case-sensitivity disable command on all native accounts for FortiOS variations 6.0.10, 6.2.4, and 6.4.1.
For later releases (6.0.13+, 6.2.10+, 6.4.7+, 7.0.1+), use set username-sensitivity disable. This ensures FortiGate treats all username case variations as similar, stopping authentication fallback.
Extra hardening requires eradicating pointless secondary LDAP teams from authentication insurance policies.
Organizations ought to audit firewall configurations to eradicate redundant LDAP group references and implement strict native person matching.
The place LDAP teams are non-essential, their full removing blocks the authentication bypass pathway completely.
Observe us on Google Information, LinkedIn, and X to Get Instantaneous Updates and Set GBH as a Most popular Supply in Google.
