Attacker Value
Very High
(3 users assessed)
Exploitability
Very High
(3 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
9

CVE-2018-13379 Path Traversal in Fortinet FortiOS

Disclosure Date: June 04, 2019
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated

Description

An Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.

Add Assessment

2
Technical Analysis

Reported as exploited in the wild at https://us-cert.cisa.gov/ncas/alerts/aa20-296a

1
Ratings
Technical Analysis

Exploit code for VPN credential-stealing is readily available, as is information on unpatched targets. The vuln is known to be exploited by nation state-sponsored threat actors as well as run-of-the-mill attackers. Fortinet customers who discover vulnerable FortiOS VPN devices on their networks will want to conduct incident response investigations in addition to patching.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • fortinet

Products

  • fortios
Technical Analysis

Threat status: Widespread threat
Attacker utility: Network pivot / information disclosure

CVE-2018-13379 is a pre-authentication information disclosure vulnerability that arises from a path traversal flaw in the web portal component of FortiOS SSL VPNs, first detailed by prominent security researchers Orange Tsai and Meh Chang in August of 2019. The vulnerability allows external attackers to download FortiOS system files through specially crafted HTTP resource requests. Fortinet has a 2019 blog post on this and other CVEs here; the company also published an additional blog in November 2020 based on ongoing exploitation of the vulnerability. CVE-2018-13379 carries a CVSSv3 base score of 9.8.

CVE-2018-13379 can be used to steal valid session information from vulnerable Fortinet devices and has been broadly and actively exploited in the wild since 2019. Exploitation has continued through 2020 and the beginning of 2021—in November 2020, news articles announced that credentials for roughly 50,000 vulnerable Fortinet VPNs had been leaked, along with other high-value information such as access levels. On April 2, 2021, CISA and the FBI issued a joint alert on exploitation of FortiOS devices by APT groups. CVE-2018-13379, CVE-2019-5591, and CVE-2020-12812 were specified in the warning.

Affected products

FortiOS 6.0 – 6.0.0 to 6.0.4
FortiOS 5.6 – 5.6.3 to 5.6.7
FortiOS 5.4 – 5.4.6 to 5.4.12
(other branches and versions than above are not impacted)
ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled.

Technical analysis

We have continued to see network access commoditized by both advanced and run-of-the-mill attackers leveraging this and other vulnerabilities; sustained attacks on vulnerable Fortinet devices—whether targeting this vulnerability or others—have indicated that many organizations’ patch cycles are significantly behind attacker capabilities. See existing technical assessments by AttackerKB users for additional specific analysis of this vulnerability.

Guidance

The original guidance for this vulnerability (from 2019) advised Fortigate customers to upgrade their FortiOS devices to 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above, depending on which firmware version stream those customers’ devices were using. As nearly two years have passed since Fortinet issued the original updates in May of 2019, however, we strongly advise that FortiOS customers upgrade to the latest version supported by their devices as soon as possible, without waiting for normal patch cycles: https://docs.fortinet.com/product/fortigate/7.0

If you have been running a vulnerable version of FortiOS, we also recommend conducting an investigation into whether your device(s) and networks may have been compromised. Given the criticality of these devices, organizations would be well-advised to adhere to as small a patch window as possible, and to implement a “zero-day” patch cycle if possible.

References

https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html
https://www.fortinet.com/blog/psirt-blogs/fortios-ssl-vulnerability
https://www.fortiguard.com/psirt/FG-IR-18-384
https://docs.fortinet.com/product/fortigate/7.0
https://www.bleepingcomputer.com/news/security/passwords-exposed-for-almost-50-000-vulnerable-fortinet-vpns/
https://us-cert.cisa.gov/ncas/current-activity/2019/10/04/vulnerabilities-exploited-multiple-vpn-applications
https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios