Researchers at Pentera have identified a design vulnerability in the logging mechanism of the Fortinet VPN server that enables attackers to obscure successful login attempts during brute-force attacks, BleepingComputer reports.
The issue stems from how the server records authentication and authorization processes. While failed login attempts are logged during the authentication phase, successful logins are only logged if the process advances to the authorization phase.
Using tools like Burp, Pentera demonstrated a technique to halt the login process after the authentication phase. This method allows attackers to confirm valid credentials without triggering logs of successful login attempts. Consequently, defenders may detect failed brute-force attempts but remain unaware of compromised credentials. Such credentials could be exploited later or sold to other threat actors. Pentera disclosed the issue to Fortinet, but the company reportedly does not classify it as a vulnerability. It remains unclear if a fix will be implemented. Meanwhile, Pentera has released a script demonstrating the flaw, raising awareness of the potential risks to Fortinet VPN users.
