Fortinet recently warned that threat actors are still actively exploiting a specific improper authentication vulnerability in FortiOS SSL VPN. This flaw, originally identified in 2020, allows users to log in successfully without being prompted for a second factor of authentication. The security gap occurs when a user changes the capitalization of their username during the login process, such as typing a name in mixed case when the local system expects lowercase.

The core of the issue lies in how different systems interpret text. While the FortiGate firewall treats usernames as case-sensitive, many remote LDAP directories do not. When a user provides a username that does not exactly match the case used in the local user entry, the system fails to apply the specific local security policies attached to that account, including mandatory two-factor authentication. Instead, it moves down the list of authentication policies to find another match.

For an attack to be successful, specific configuration requirements must be met on the device. The system must have local user entries with two-factor authentication that point back to an LDAP server, and those users must also be part of an LDAP group. If that group is used in an authentication policy for services like administrative access or VPNs, the system may inadvertently allow a login to proceed based on the LDAP credentials alone, bypassing the intended security layers.

GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025

This vulnerability has a long history of being targeted by various threat actors and was previously highlighted by government agencies as a significant weakness in perimeter devices. Despite being half a decade old, the flaw remains relevant because many organizations have either failed to update their firmware or continue to use the specific configurations that trigger the bypass. Fortinet noted that if a user logs in with any variation of capitalization that is not an exact match, the firewall treats them as a general group member rather than a specific user subject to extra security.

To mitigate the risk, Fortinet recommends that organizations update to the patched versions of FortiOS that were released starting in July 2020. For those unable to update immediately, the company has provided specific commands to modify local accounts and ensure that authentication policies are applied correctly regardless of username casing. Ensuring that security patches are applied to edge devices remains a critical step in defending against persistent exploitation of known vulnerabilities.

Source: Fortinet Warns Of Active Exploitation Of FortiOS SSL VPN TwoFA Bypass Vulnerability