During a recent monthly scan for one of our managed vulnerability scanning customers, a medium impact issue regarding Fortigate VPNs was identified (CVE-2018-13379). However, the attack led knowledge of the team responsible for validation of issues quickly identified that the vulnerability had a critical level of risk as it could be used to trivially extract valid user names and passwords.
The client was informed directly of the exposure and they were able to remediate within two hours of notification.
Notification to our client was three weeks before the current National Cyber Security Centre (NCSC) issued guidance (https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities) detailing how the vulnerability, along with a number of other specific VPN flaws were being used to target organisations. Significantly reducing their exposure window for what has now become a widely known exploited vulnerability.
In terms of CVE-2018-13379, this was initially and is still widely viewed as just a medium impact issue by automated vulnerability scanners. However, as we were able to extract plain text username and passwords from VPNs that would give access to enterprise networks and cloud based systems such as O365 email accounts, the issue when put in context is critical.
The need for intelligent human analysis
The mismatch between the assessed “medium” impact risk posed by this flaw and its potential for having a serious real-world impact highlights how security teams cannot rely solely on automated security tools when pursuing vulnerability management. Without intelligent, human analysis of the raw output, potentially critical issues can be missed and shows the true value of our managed vulnerability scanning platform.