FortiOS SSL VPN 2FA bypass by changing username case
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-19-283
Final
1
1
2020-07-13T00:00:00
Current version
2020-07-13T00:00:00
2020-07-13T00:00:00
An improper authentication vulnerability in SSL VPN in FortiOS may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.This happens when two-factor authentication is enabled in the "user local" setting, and that user authentication type is set to a remote authentication method (eg: ldap).The issue exists because of inconsistent case sensitive matching among the local and remote authentication.A new CLI attribute called "username-case-sensitivity" was added in "user local" CLI settings, and is now available when remote and two-factor authentication are both enabled:config user localedit [name]set type ldap /* ldap as remote authentication */set two-factor fortitoken /* fortitoken as 2FA auth method */set username-case-sensitivity enable*|disable /* newly added, set to 'enable' by default */nextusername-case-sensitivity is enabled by default; this is consistent with the default behavior on previous versions (local and remote username case must match). To avoid the second factor of authentication bypass issue, administrators must manually disable username-case-sensitivity.
Operational Risk, Improper Authentication
FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below
Upgrade to the following FortiOS version: 6.4.1 or later 6.2.4 or later 6.0.10 or later
https://fortiguard.fortinet.com/psirt/FG-IR-19-283
FortiOS SSL VPN 2FA bypass by changing username case
https://kb.fortinet.com/kb/documentLink.do?externalID=FD37033
https://kb.fortinet.com/kb/documentLink.do?externalID=FD37033
FortiOS 6.4.0
FortiOS 6.2.3
FortiOS 6.2.2
FortiOS 6.2.1
FortiOS 6.2.0
FortiOS 6.0.9
FortiOS 6.0.8
FortiOS 6.0.7
FortiOS 6.0.6
FortiOS 6.0.5
FortiOS 6.0.4
FortiOS 6.0.3
FortiOS 6.0.2
FortiOS 6.0.1
FortiOS 6.0.0
FortiOS SSL VPN 2FA bypass by changing username case
CVE-2020-12812
FortiOS-6.4.0
FortiOS-6.2.3
FortiOS-6.2.2
FortiOS-6.2.1
FortiOS-6.2.0
FortiOS-6.0.9
FortiOS-6.0.8
FortiOS-6.0.7
FortiOS-6.0.6
FortiOS-6.0.5
FortiOS-6.0.4
FortiOS-6.0.3
FortiOS-6.0.2
FortiOS-6.0.1
FortiOS-6.0.0
5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:F/RL:X/RC:X
https://fortiguard.fortinet.com/psirt/FG-IR-19-283
FortiOS SSL VPN 2FA bypass by changing username case
Reference>
https://kb.fortinet.com/kb/documentLink.do?externalID=FD37033
https://kb.fortinet.com/kb/documentLink.do?externalID=FD37033