Security News > 2020 > September > FortiGate VPN Default Config Allows MitM Attacks

According to the SAM IoT Security Lab, the FortiGate SSL-VPN client only verifies that the certificate used for client authentication was issued by Fortinet or another trusted certificate authority.

"Therefore, an attacker can easily present a certificate issued to a different FortiGate router without raising any flags, and implement a man-in-the-middle attack," researchers wrote, in an analysis on Thursday.

In the case of the FortiGate router, it uses a self-signed, default SSL certificate, and it uses the router's serial number to denote the server for the certificate - it does not, according to SAM, verify that the actual server name parameter matches.

While the issue exists in the default configuration of the FortiGard SSL-VPN client, Fortinet does not consider the issue to be a vulnerability, because users have the ability to manually replace the certificate in order to secure their connections appropriately.

"Fortinet VPN appliances are designed to work out-of-the-box for customers so that organizations are enabled to set up their appliance customized to their own unique deployment. Each VPN appliance and the set up process provides multiple clear warnings in the GUI with documentation offering guidance on certificate authentication and sample certificate authentication and configuration examples. Fortinet strongly recommends adhering to its provided installation documentation and process, paying close attention to warnings throughout that process to avoid exposing the organization to risk."

News URL

https://threatpost.com/fortigate-vpn-default-config-mitm-attacks/159586/