Executive Summary
CVE-2018-13379 is a critical path traversal vulnerability in Fortinet's FortiOS SSL VPN web portal. This vulnerability allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests. The vulnerability affects FortiOS versions 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12, as well as FortiProxy versions 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, and 1.0.0 to 1.0.7. This report delves into the technical details, exploitation in the wild, APT groups leveraging this vulnerability, affected product versions, and mitigation strategies.
Technical Information
CVE-2018-13379 is an Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") vulnerability in the Fortinet FortiOS SSL VPN web portal. This vulnerability allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests. The vulnerability has a CVSS v3.1 Base Score of 9.8 (Critical), with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
The vulnerability arises from the improper handling of directory traversal sequences in HTTP requests. Attackers can exploit this flaw by sending specially crafted HTTP requests containing directory traversal characters (e.g., '../') to access or read arbitrary files on the system. These files may contain sensitive information such as configuration files, user credentials, and other critical data.
The affected products include FortiOS versions 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12, as well as FortiProxy versions 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, and 1.0.0 to 1.0.7. Fortinet has released patches to address this vulnerability, and it is crucial for organizations to update their systems to the latest versions to mitigate the risk.
Exploitation in the Wild
This vulnerability has been actively exploited in the wild. Various threat actors, including APT groups, have leveraged this vulnerability to gain unauthorized access to sensitive information. The FBI, CISA, and NCSC have published alerts warning about massive scanning for Fortinet SSL VPN appliances vulnerable to CVE-2018-13379 exploits.
Notable exploits and attacks include multiple APT groups exploiting this vulnerability to infiltrate corporate networks and exfiltrate sensitive data. Attackers use directory-traversal characters ('../') to access or read arbitrary files that contain sensitive information or to execute further attacks.
APT Groups using this vulnerability
Several APT groups have been reported to exploit this vulnerability. These groups target various sectors and countries, including government agencies, financial institutions, healthcare organizations, and critical infrastructure. The exploitation of CVE-2018-13379 by APT groups underscores the critical nature of this vulnerability and the need for immediate remediation.
Affected Product Versions
The affected product versions include FortiOS versions 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12, as well as FortiProxy versions 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, and 1.0.0 to 1.0.7. Organizations using these versions are at risk and should prioritize updating to the latest versions provided by Fortinet.
Workaround and Mitigation
To mitigate this vulnerability, organizations should apply the latest patches provided by Fortinet. Ensure that FortiOS is updated to versions beyond 6.0.4, 5.6.7, and 5.4.12, and FortiProxy is updated beyond 2.0.0, 1.2.8, 1.1.6, and 1.0.7. Additionally, implement monitoring solutions to detect unusual activities and potential exploitation attempts. Restrict access to the SSL VPN web portal to trusted IP addresses and enforce strong authentication mechanisms.
References
For further information and technical details, please refer to the following resources:
- NVD - CVE-2018-13379 (https://nvd.nist.gov/vuln/detail/CVE-2018-13379)
- Fortinet PSIRT Advisory (https://www.fortiguard.com/psirt/FG-IR-18-384)
- Fortinet Blog on CVE-2018-13379 (https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2018-13379)
- Broadcom Security Center (https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=31736)
- Tenable Blog on Fortinet Vulnerabilities (https://www.tenable.com/blog/cve-2018-13379-cve-2019-5591-cve-2020-12812-fortinet-vulnerabilities-targeted-by-apt-actors)
- MITRE CVE-2018-13379 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379)
- Innovate Cybersecurity Advisory (https://innovatecybersecurity.com/security-threat-advisory/an-older-vulnerability-in-fortinets-vpn-operating-system-is-seeing-a-new-wave-of-attacks/)
Rescana is here for you
At Rescana, we are committed to helping our customers navigate the complex landscape of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform provides comprehensive threat intelligence, vulnerability management, and proactive defense strategies to safeguard your organization. If you have any questions about this report or any other issue, please do not hesitate to contact us at ops@rescana.com.
Comments