Moderate
CVE-2018-13383
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2018-13383
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
A heap buffer overflow in Fortinet FortiOS 6.0.0 through 6.0.4, 5.6.0 through 5.6.10, 5.4.0 through 5.4.12, 5.2.14 and earlier and FortiProxy 2.0.0, 1.2.8 and earlier in the SSL VPN web portal may cause the SSL VPN web service termination for logged in users due to a failure to properly handle javascript href data when proxying webpages.
Add Assessment
Ratings
-
Attacker ValueVery Low
-
ExploitabilityVery Low
Technical Analysis
There doesn’t seem to be much value for an attacker to terminate a web service.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueHigh
-
ExploitabilityLow
Technical Analysis
Seems after this analysis the risk was updated around July 2019 to be a high severity vulnerability. Technically this is a heap overflow with the potential side effect of SSL VPN web service termination for logged in users, however the bug may also result in remote code execution. @wwoolwine-r7’s assessment in my opinion fails to appropriately take this into account as it considers the side effect the main impact of this bug, rather than the fact that this can and has been exploited in the wild for remote code execution.
A full technical writeup of this bug can be found at https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html where it is noted that this is a post auth vulnerability that occurs due to a memcpy
into a heap buffer using the code memcpy(buffer, js_buf, js_buf_len);
. It also notes that buffer
is a fixed 0x2000 byte long buffer however the length of js_buf
is not limited and can be as long as the attacker wants it to be. They also note that to trigger this bug, an attacker would need to host their own HTTP server. They would then use the SSL VPN web-mode, which allows users to connect to various resources such as HTTP, FTP, RDP, etc via their web browser and will result in the SSL VPN server to requesting resources on their behalf, to connect to the malicious HTTP server and fetch their exploit on their behalf, which will result in the heap overflow.
Exploitation of this vulnerability can be prevented by ensuring all users have secure passwords with a mix of alphanumberic, uppercase, lowercase, and symbols of at least 20 characters or more. Remember that in general whilst having a mix of characters is good, length generally tends to help more than the mix of characters, however it is still highly recommended to use a mix of characters wherever possible.
Exploitation can also be prevented by disabling SSL VPN web-mode, and using SSL VPN tunnel-mode instead as it is not impacted.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- fortinet
Products
- fortios,
- fortiproxy,
- fortiproxy 2.0.0
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: