| Advisory Category |
Vulnerability Management |
| Vulnerability |
CVE-2018-13379 |
| Target |
Fortinet SSL VPN |
| TLP |
 Amber |
[/vc_wp_text][vc_column_text]
CloudSEK Threat Intel has detected a threat actor selling a list of systems on the Internet that are vulnerable to CVE-2018-13379 which is a Fortinet SSL VPN path traversal vulnerability.
[caption id="attachment_8712" align="alignnone" width="730"]
The threat actor’s post enumerating the list of vulnerable targets[/caption]
Fortinet SSL-VPN Vulnerability CVE-2018-13379
CVE-2018-13379 is a path traversal vulnerability in FortinetOS SSL VPN web portal which allows unauthenticated attackers to download FortiOS system files by means of specially crafted HTTP request. Vulnerability exists only if SSL VPN service (web mode/tunnel mode) is enabled.
Vulnerable path
"https://"+ip+"/remote/fgt_lang?lang=</../../../..attacker controlled path>
Vulnerable Versions
- FortiOS 6.0 - 6.0.0 to 6.0.4
- FortiOS 5.6 - 5.6.3 to 5.6.7
- FortiOS 5.4 - 5.4.6 to 5.4.12
Impact
Technical Impact
- The attacker can read any files (including system critical files like :config files/password files) from the server
- Attackers can perform trial and error to search and read sensitive files on the target server.
Business Impact
- Malicious actors can exploit this vulnerability and cause serious downtime resulting in significant financial loss.
- Since VPN endpoints play a crucial role in business infrastructure, compromise of even a single endpoint may lead to take over of the entire domain or network.
Mitigation
- Install vendor upgrades: Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above
- Disable SSL VPN service (Work around): https://www.fortiguard.com/psirt/FG-IR-18-384
