CVE-2021-24012 Overview
CVE-2021-24012 is an improper certificate chain of trust validation vulnerability affecting Fortinet FortiGate appliances running FortiOS versions 6.4.0 through 6.4.4. This security flaw allows an LDAP user to connect to SSLVPN using any certificate that is signed by a trusted Certificate Authority, bypassing proper certificate validation controls.
Critical Impact
This vulnerability enables unauthorized SSLVPN access by allowing LDAP users to authenticate with any certificate signed by a trusted CA, potentially bypassing intended access controls and enabling unauthorized network access.
Affected Products
- Fortinet FortiOS versions 6.4.0 through 6.4.4
- Fortinet FortiGate appliances running vulnerable FortiOS versions
- SSLVPN deployments with LDAP authentication configured
Discovery Timeline
- 2021-06-02 - CVE-2021-24012 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-24012
Vulnerability Analysis
This vulnerability is classified under CWE-295 (Improper Certificate Validation), which occurs when the software does not properly verify the certificate chain of trust. In the context of FortiGate's SSLVPN implementation, the certificate validation mechanism fails to properly verify that the presented client certificate matches the expected identity of the authenticating LDAP user.
The flaw allows authentication to succeed when an LDAP user presents any certificate signed by a Certificate Authority that FortiGate already trusts, regardless of whether that certificate was specifically issued for that user. This breaks the fundamental security assumption that client certificates provide strong identity verification in addition to LDAP authentication.
Root Cause
The root cause lies in the improper implementation of certificate chain validation logic within the FortiOS SSLVPN authentication module. When processing LDAP user authentication requests with client certificates, the system validates that the certificate is signed by a trusted CA but fails to verify that the certificate's subject or Subject Alternative Name (SAN) attributes correspond to the authenticating user. This allows any certificate from a trusted CA to satisfy the authentication requirement, effectively reducing two-factor authentication to single-factor authentication.
Attack Vector
The attack vector is network-based and requires no user interaction. An attacker with the following prerequisites can exploit this vulnerability:
- Valid LDAP credentials for the target FortiGate SSLVPN
- Any client certificate signed by a Certificate Authority trusted by the FortiGate appliance
- Network access to the SSLVPN endpoint
The attacker initiates an SSLVPN connection and presents their certificate during the TLS handshake. When prompted for LDAP authentication, they provide valid LDAP credentials. The FortiGate appliance incorrectly accepts the mismatched certificate because it only verifies the CA signature, not the certificate-to-user binding. This allows the attacker to bypass certificate-based access controls that may have been intended to restrict which certificates could authenticate specific users.
Detection Methods for CVE-2021-24012
Indicators of Compromise
- Unusual SSLVPN authentication events where certificate Common Name (CN) or SAN does not match the authenticated LDAP username
- Authentication logs showing successful SSLVPN connections with certificate serial numbers not issued to the connecting user
- Multiple LDAP users authenticating with the same client certificate
Detection Strategies
- Implement correlation rules in SIEM to flag SSLVPN authentications where certificate subject fields do not match LDAP user attributes
- Monitor FortiGate authentication logs for certificate-based SSLVPN connections and cross-reference certificate details with user identity
- Deploy network detection rules to identify anomalous TLS client certificate presentations during SSLVPN establishment
Monitoring Recommendations
- Enable detailed logging for SSLVPN authentication events including full certificate chain information
- Configure alerts for SSLVPN connections from unexpected certificate issuers or certificate serial numbers
- Regularly audit the list of trusted Certificate Authorities configured on FortiGate appliances to minimize the attack surface
How to Mitigate CVE-2021-24012
Immediate Actions Required
- Upgrade FortiOS to version 6.4.5 or later to address this vulnerability
- Review all trusted Certificate Authority configurations and remove any unnecessary or overly permissive CA trust relationships
- Audit SSLVPN authentication logs for any signs of exploitation prior to patching
Patch Information
Fortinet has released patches addressing this vulnerability in FortiOS versions 6.4.5 and later. Administrators should consult the FortiGuard Security Advisory FG-IR-21-018 for detailed upgrade instructions and affected version information. The patch corrects the certificate validation logic to properly verify that client certificates are bound to the authenticating user identity.
Workarounds
- Temporarily disable client certificate authentication for SSLVPN if upgrading is not immediately possible
- Implement additional network-layer access controls to restrict which systems can reach the SSLVPN endpoint
- Consider using a dedicated Certificate Authority exclusively for SSLVPN client certificates to limit the scope of trusted certificates
# Verify current FortiOS version
get system status
# Review trusted CA configuration
config vpn certificate ca
show
# Check SSLVPN authentication settings
config vpn ssl settings
show
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
