Attacker Value

Very High

CVE-2018-13379 Path Traversal in Fortinet FortiOS

Attacker Value

Very High

(3 users assessed)

Exploitability

Very High

(3 users assessed)

User Interaction

CVE-2018-13379 Path Traversal in Fortinet FortiOS

Disclosure Date: June 04, 2019 •

CVE-2018-13379 CVSS v3 Base Score: 9.8

Exploited in the Wild

Reported by gwillcox-r7

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Initial Access

Techniques

Validation

Exploit Public-Facing Application

Validated

Easy to weaponize Unauthenticated

Description

An Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.

Add Assessment

bulw4rk (18)

March 25, 2020 8:04pm UTC (9 months ago)

Ratings

Attacker Value

Very High

Exploitability

Very High

Easy to weaponize Unauthenticated

Technical Analysis

Description

Due to a pre-authenticated Path Trasversal vulnerability under the SSL VPN portal on FortiOS, an attacker is able to pull arbitrary system files from the file system. One of the most critical files which an attacker may pull is “sslvpn_websessions” which contains session information including usernames and password.

Once the attacker has obtained the credentials from this file, he can authenticated with those credentials, compromising the corporate perimeter.

Mitigation

Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.
Enable 2FA. Note the attacker will not be able to log in to the VPN, but the obtained credentials are still valid (potencial domain creds) to access corporate mail, etc.

Affected Systems

FortiOS 6.0: 6.0.0 to 6.0.4
FortiOS 5.6: 5.6.3 to 5.6.7
FortiOS 5.4: 5.4.6 to 5.4.12

NOTE: Only if the SSL VPN service (web-mode or tunnel-mode) is enabled.

PoC

There are some public working exploits for this vulnerability, targeting the “sslvpn_websessions” system file.

An attacker would access the following URL:

https://<IP_ADDRESS>/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession

And after some parsing to the binary file, something like the following output would be obtained:

NOTE: Example image obtained from https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/

See More &2 repliesSee Less

hartescout (19) April 19, 2020 2:24am UTC (9 months ago)

Here is the first repo I found on a DDG search.
https://github.com/milo2012/CVE-2018-13379/blob/master/CVE-2018-13379.py

pbarry25 (12) April 22, 2020 1:21am UTC (9 months ago)

Neat, this sounds important to patch!

gwillcox-r7 (363)

November 04, 2020 4:04pm UTC (2 months ago)

Technical Analysis

Reported as exploited in the wild at https://us-cert.cisa.gov/ncas/alerts/aa20-296a

ccondon-r7 (89)

November 22, 2020 6:52pm UTC (2 months ago)•

Ratings

Attacker Value

Very High

Exploitability

High

Common in enterprise Easy to weaponize Gives privileged access Unauthenticated

Technical Analysis

Exploit code for VPN credential-stealing is readily available, as is information on unpatched targets. The vuln is known to be exploited by nation state-sponsored threat actors as well as run-of-the-mill attackers. Fortinet customers who discover vulnerable FortiOS VPN devices on their networks will want to conduct incident response investigations in addition to patching.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

Fortinet

Products

Fortinet FortiOS

References

Rapid7

Very High