At the very least I’d debate the legitimacy of this exploit given reports like https://twitter.com/albinowax/status/1263068436298633216 and https://nvd.nist.gov/vuln/detail/CVE-2020-12440 which suggest this CVE was withdrawn due to it not actually being a valid bug. I’m not sure why this was exploited in the wild as well as I see no evidence of this having been the case minus a light PoC whose validity is disputed (again probably also why this CVE was later revoked as not a security vulnerability).
Threat status: Widespread threat
Attacker utility: Network pivot / information disclosure
CVE-2018-13379 is a pre-authentication information disclosure vulnerability that arises from a path traversal flaw in the web portal component of FortiOS SSL VPNs, first detailed by prominent security researchers Orange Tsai and Meh Chang in August of 2019. The vulnerability allows external attackers to download FortiOS system files through specially crafted HTTP resource requests. Fortinet has a 2019 blog post on this and other CVEs here; the company also published an additional blog in November 2020 based on ongoing exploitation of the vulnerability. CVE-2018-13379 carries a CVSSv3 base score of 9.8.
CVE-2018-13379 can be used to steal valid session information from vulnerable Fortinet devices and has been broadly and actively exploited in the wild since 2019. Exploitation has continued through 2020 and the beginning of 2021—in November 2020, news articles announced that credentials for roughly 50,000 vulnerable Fortinet VPNs had been leaked, along with other high-value information such as access levels. On April 2, 2021, CISA and the FBI issued a joint alert on exploitation of FortiOS devices by APT groups. CVE-2018-13379, CVE-2019-5591, and CVE-2020-12812 were specified in the warning.
FortiOS 6.0 – 6.0.0 to 6.0.4
FortiOS 5.6 – 5.6.3 to 5.6.7
FortiOS 5.4 – 5.4.6 to 5.4.12
(other branches and versions than above are not impacted)
ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled.
We have continued to see network access commoditized by both advanced and run-of-the-mill attackers leveraging this and other vulnerabilities; sustained attacks on vulnerable Fortinet devices—whether targeting this vulnerability or others—have indicated that many organizations’ patch cycles are significantly behind attacker capabilities. See existing technical assessments by AttackerKB users for additional specific analysis of this vulnerability.
The original guidance for this vulnerability (from 2019) advised Fortigate customers to upgrade their FortiOS devices to 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above, depending on which firmware version stream those customers’ devices were using. As nearly two years have passed since Fortinet issued the original updates in May of 2019, however, we strongly advise that FortiOS customers upgrade to the latest version supported by their devices as soon as possible, without waiting for normal patch cycles: https://docs.fortinet.com/product/fortigate/7.0
If you have been running a vulnerable version of FortiOS, we also recommend conducting an investigation into whether your device(s) and networks may have been compromised. Given the criticality of these devices, organizations would be well-advised to adhere to as small a patch window as possible, and to implement a “zero-day” patch cycle if possible.
One of three vulnerabilities CISA and the FBI have warned are being exploited by APTs to gain initial access to government and other services. The other two vulnerabilities in the alert are CVE-2018-13379, a pre-authentication path traversal bug that has been actively and widely exploited for years now, and CVE-2020-12812 (an MFA bypass).
CISA and the FBI put out a joint warning that this is one of several FortiOS vulnerabilities APTs are exploiting to gain initial access to government and other services. We know, however, that plenty of non-APT attackers have also targeted Fortinet devices over the past several years. See the page for CVE-2018-13379 as an example. These things are high value and give attackers internal network access—keep ‘em updated on a hair trigger!