Flaw in Fortigate routers exposing businesses to MITM attacks

Fortinet's Fortigate VPN solution has been found containing a critical flaw associated with SSL certificates that has made over 200,000 businesses vulnerable to Man-In-The-Middle attacks as well as data exfiltration by hackers.

On Thursday, network security services provider SAM Seamless Network revealed in a blog post it discovered a serious vulnerability in Fortinet's Fortigate VPN solution that allowed attackers to spoof the default SSL certificate signed by Fortinet and easily re-route the traffic to their servers.

The firm said that the Fortigate router comes with a default SSL certificate that is signed by Fortinet, not by a trusted CA, and uses its serial number as the server name for the certificate. However, the VPN client does not verify the server name and in fact, accepts any certificate that is valid and is issued by either Fortinet or any trusted CA.

This setting allows an attacker to use a valid SSL certificate to easily re-route the traffic to his server, display his own certificate, and then decrypt the traffic. According to SAM Seamless Network, there are over 230,000 Fortigate devices that are using the VPN functionality and over 200,000 businesses are using the default configuration and are, therefore, vulnerable to the exploit.

When contacted by the firm, Fortinet said they are aware of the flaw but will not change it as end-users have the ability to manually replace the certificate and are responsible for the protection of their connections. Fortinet's decision to leave it to the end-user to replace the default SSL certificate may leave a lot of small businesses, that are not aware of such security risks, exposed to attackers.

"The Fortigate SSL-VPN client only verifies that the CA was issued by Fortigate (or another trusted CA), therefore an attacker can easily present a certificate issued to a different Fortigate router without raising any flags, and implement a Man-In-The-Middle attack," SAM said.

"The Fortigate issue is only an example of the current issues with security for the small-medium businesses, especially during the epidemic work-from-home routine. These types of businesses require near enterprise-grade security these days, but do not have the resources and expertise to maintain enterprise security systems. Smaller businesses require leaner, seamless, easy-to-use security products that may be less flexible, but provide much better basic security," it added.

This is not the first time that security vulnerabilities have been discovered in popular VPNs that expose the data of users to hackers or third parties. In July this year, security researchers at vpnMentor found that seven free VPN apps created by a Hong Kong-based developer that together had over 20 million users, shared a server that was completely open and accessible to third parties.

Researchers found that the shared server, that hosted data collected by the free VPN apps, stored over 1.2TB of data that included 1,083,997,361 data records including email addresses, clear text passwords, IP addresses, home addresses, phone models, device ID, and other technical information belonging to over 20 million users worldwide who used these apps.

These free VPN apps, namely UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN, claimed that they were “no-log” VPNs and did not store any user data but researchers found that their shared server contained detailed internet activity logs of millions of users. The apps also boasted military-grade security but their shared server also contained unencrypted plain text passwords.

MORE ABOUT: