According to SAM Seamless Network, over 2,00,000 businesses are using Fortigate VPN with default settings exposing them to the risk of a hack. Under default configuration the SSL VPN is not as protected as it should be, and is vulnerable to Man-in-the-Middle (MitM) attacks quite easily.
The Fortigate SSL-VPN client only verifies that the CA was issued by Fortigate (or another trusted CA) therefore an attacker can easily present a certificate issued to a different Fortigate router without raising any flags, and implement a man-in-the-middle attack.
To achieve this, the researchers set up a compromised IoT device that’s used to trigger a MitM attack soon after the Fortinet VPN client initiates a connection which then steals the credentials before passing it to the server and spoofs the authentication process.
SSL certificate validation which helps vouch for the authenticity of a website or a domain, typically works by verifying its validity period, digital signature, if it was issued by a certificate authority (CA) that it can trust, and if the subject in the certificate matches with the server the client is connecting to.
According to the researchers, The problem lies in the use of default self-signed SSL certificates by companies.
Given that every Fortigate router comes with a default SSL certificate that is signed by Fortinet, that very certificate can be spoofed by a third-party as long as it’s valid and issued either by Fortinet or any other trusted CA thus allowing the attacker to re-route traffic to a server their control and decrypt the contents.
For its part, Fortinet said it has no plans to address the issue, suggesting that users can manually replace the default certificate and ensure the connections are safe from MitM attacks.
Follow For More >> @towards_cybersecurity