Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label cybersecurity risk. Show all posts

Fortinet VPN Logging Flaw Exposes Vulnerability to Undetected Credential Verification

 

A flaw in the logging mechanism of Fortinet VPN servers could allow attackers to hide successful credential verifications during brute-force attacks, potentially leaving defenders unaware of compromised logins.

While brute-force activity remains visible, a new technique limits logs to failed attempts, creating a false sense of security for system administrators.

FortiClient VPN logs login attempts through two steps: authentication and authorization. Researchers from Pentera, a cybersecurity company specializing in automated security validation, found that successful logins are recorded only if both steps are completed. Otherwise, the VPN logs the event as a failed authentication.

“[…] the failed ones are logged in the authentication phase but the successful ones are logged in the authorization phase, so yes, a full login with either a script or a VPN client would create a log,” explained Pentera researcher Peter Viernik to BleepingComputer.

The researchers devised a method to halt the process after the authentication phase, validating credentials without generating a log of the successful attempt. Using the Burp application security tool, they observed that the server response indicates valid credentials through specific values (“ret=1” for valid and “ret=0” for failed), while subsequent steps establish VPN sessions.

Stopping the process before authorization prevents successful logins from being recorded. Pentera notes this gap creates a security risk:

"The inability to log successful authentication attempts at the authentication phase presents a significant security risk. Attackers could potentially exploit this vulnerability to conduct brute-force attacks without detection of their successful attempts."

While admins might detect ongoing brute-force attempts, they would not know if any credentials were successfully verified. This could lead to attackers selling valid credentials or using them for future breaches when vigilance has waned.

Despite this issue, attackers must still bypass authorization, which includes API calls verifying device security compliance and user access levels. Though this complicates exploitation, Pentera warns that well-resourced adversaries could still succeed.

Pentera disclosed their findings to Fortinet, which reportedly did not consider the issue a vulnerability. It remains unclear if Fortinet plans to address the problem, though Pentera suggests the fix would not be complex.

As part of their disclosure, Pentera released a script demonstrating the flaw’s exploitation. BleepingComputer reached out to Fortinet for comment but did not receive a response by the time of publication.