Very High
CVE-2018-13379 Path Traversal in Fortinet FortiOS
Add Reference
Description
URL
Type
CVE-2018-13379 Path Traversal in Fortinet FortiOS
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Description
An Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
Description
Due to a pre-authenticated Path Trasversal vulnerability under the SSL VPN portal on FortiOS, an attacker is able to pull arbitrary system files from the file system. One of the most critical files which an attacker may pull is “sslvpn_websessions” which contains session information including usernames and password.
Once the attacker has obtained the credentials from this file, he can authenticated with those credentials, compromising the corporate perimeter.
Mitigation
- Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.
- Enable 2FA. Note the attacker will not be able to log in to the VPN, but the obtained credentials are still valid (potencial domain creds) to access corporate mail, etc.
Affected Systems
- FortiOS 6.0: 6.0.0 to 6.0.4
- FortiOS 5.6: 5.6.3 to 5.6.7
- FortiOS 5.4: 5.4.6 to 5.4.12
NOTE: Only if the SSL VPN service (web-mode or tunnel-mode) is enabled.
PoC
There are some public working exploits for this vulnerability, targeting the “sslvpn_websessions” system file.
An attacker would access the following URL:
- https://
<IP_ADDRESS>
/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession
And after some parsing to the binary file, something like the following output would be obtained:
NOTE: Example image obtained from https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/
Technical Analysis
Reported as exploited in the wild at https://us-cert.cisa.gov/ncas/alerts/aa20-296a
Ratings
-
Attacker ValueVery High
-
ExploitabilityHigh
Technical Analysis
Exploit code for VPN credential-stealing is readily available, as is information on unpatched targets. The vuln is known to be exploited by nation state-sponsored threat actors as well as run-of-the-mill attackers. Fortinet customers who discover vulnerable FortiOS VPN devices on their networks will want to conduct incident response investigations in addition to patching.
CVSS V3 Severity and Metrics
General Information
Vendors
- Fortinet
Products
- Fortinet FortiOS
References
Miscellaneous
Additional Info
Technical Analysis
Report as Exploited in the Wild
What do we mean by "exploited in the wild"?
By selecting this, you are verifying to the AttackerKB community that either you, or a reputable source (example: a security vendor or researcher), has observed an active attempt by attackers, or IOCs related, to exploit this vulnerability outside of a research environment.
A vulnerability should also be considered "exploited in the wild" if there is a publicly available PoC or exploit (example: in an exploitation framework like Metasploit).
Here is the first repo I found on a DDG search.
https://github.com/milo2012/CVE-2018-13379/blob/master/CVE-2018-13379.py
Neat, this sounds important to patch!