Attacker Value
Moderate
(2 users assessed)
Exploitability
Low
(2 users assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
3

CVE-2018-13383

Disclosure Date: May 29, 2019
CVE-2018-13383 CVSS v3 Base Score: 6.5
Exploited in the Wild
Reported by gwillcox-r7
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A heap buffer overflow in Fortinet FortiOS 6.0.0 through 6.0.4, 5.6.0 through 5.6.10, 5.4.0 through 5.4.12, 5.2.14 and earlier and FortiProxy 2.0.0, 1.2.8 and earlier in the SSL VPN web portal may cause the SSL VPN web service termination for logged in users due to a failure to properly handle javascript href data when proxying webpages.

Add Assessment

1
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    Very Low
Vulnerable in default configurationDifficult to weaponizeNo useful access
Technical Analysis

There doesn’t seem to be much value for an attacker to terminate a web service.

Log in to Add Reply
1
Ratings
  • Attacker Value
    High
  • Exploitability
    Low
Common in enterpriseGives privileged accessVulnerable in default configurationAuthenticated
Technical Analysis

Seems after this analysis the risk was updated around July 2019 to be a high severity vulnerability. Technically this is a heap overflow with the potential side effect of SSL VPN web service termination for logged in users, however the bug may also result in remote code execution. @wwoolwine-r7’s assessment in my opinion fails to appropriately take this into account as it considers the side effect the main impact of this bug, rather than the fact that this can and has been exploited in the wild for remote code execution.

A full technical writeup of this bug can be found at https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html where it is noted that this is a post auth vulnerability that occurs due to a memcpy into a heap buffer using the code memcpy(buffer, js_buf, js_buf_len);. It also notes that buffer is a fixed 0x2000 byte long buffer however the length of js_buf is not limited and can be as long as the attacker wants it to be. They also note that to trigger this bug, an attacker would need to host their own HTTP server. They would then use the SSL VPN web-mode, which allows users to connect to various resources such as HTTP, FTP, RDP, etc via their web browser and will result in the SSL VPN server to requesting resources on their behalf, to connect to the malicious HTTP server and fetch their exploit on their behalf, which will result in the heap overflow.

Exploitation of this vulnerability can be prevented by ensuring all users have secure passwords with a mix of alphanumberic, uppercase, lowercase, and symbols of at least 20 characters or more. Remember that in general whilst having a mix of characters is good, length generally tends to help more than the mix of characters, however it is still highly recommended to use a mix of characters wherever possible.

Exploitation can also be prevented by disabling SSL VPN web-mode, and using SSL VPN tunnel-mode instead as it is not impacted.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
6.5 Medium
Impact Score:
3.6
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
None
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Fortinet FortiOS and FortiProxy FortiOS 6.0.0 through 6.0.4, 5.6.0 through 5.6.10, 5.4.0 through 5.4.12, 5.2.14 and earlier, FortiProxy 2.0.0, 1.2.8 and earlier
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • fortinet

Products

  • fortios,
  • fortiproxy,
  • fortiproxy 2.0.0

Exploited in the Wild

Reported by:
Technical Analysis