Threat status: Widespread threat
Attacker utility: Network pivot / information disclosure
CVE-2018-13379 is a pre-authentication information disclosure vulnerability that arises from a path traversal flaw in the web portal component of FortiOS SSL VPNs, first detailed by prominent security researchers Orange Tsai and Meh Chang in August of 2019. The vulnerability allows external attackers to download FortiOS system files through specially crafted HTTP resource requests. Fortinet has a 2019 blog post on this and other CVEs here; the company also published an additional blog in November 2020 based on ongoing exploitation of the vulnerability. CVE-2018-13379 carries a CVSSv3 base score of 9.8.
CVE-2018-13379 can be used to steal valid session information from vulnerable Fortinet devices and has been broadly and actively exploited in the wild since 2019. Exploitation has continued through 2020 and the beginning of 2021—in November 2020, news articles announced that credentials for roughly 50,000 vulnerable Fortinet VPNs had been leaked, along with other high-value information such as access levels. On April 2, 2021, CISA and the FBI issued a joint alert on exploitation of FortiOS devices by APT groups. CVE-2018-13379, CVE-2019-5591, and CVE-2020-12812 were specified in the warning.
Affected products
FortiOS 6.0 - 6.0.0 to 6.0.4
FortiOS 5.6 - 5.6.3 to 5.6.7
FortiOS 5.4 - 5.4.6 to 5.4.12
(other branches and versions than above are not impacted)
ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled.
Technical analysis
We have continued to see network access commoditized by both advanced and run-of-the-mill attackers leveraging this and other vulnerabilities; sustained attacks on vulnerable Fortinet devices—whether targeting this vulnerability or others—have indicated that many organizations’ patch cycles are significantly behind attacker capabilities. See existing technical assessments by AttackerKB users for additional specific analysis of this vulnerability.
Guidance
The original guidance for this vulnerability (from 2019) advised Fortigate customers to upgrade their FortiOS devices to 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above, depending on which firmware version stream those customers’ devices were using. As nearly two years have passed since Fortinet issued the original updates in May of 2019, however, we strongly advise that FortiOS customers upgrade to the latest version supported by their devices as soon as possible, without waiting for normal patch cycles: https://docs.fortinet.com/product/fortigate/7.0
If you have been running a vulnerable version of FortiOS, we also recommend conducting an investigation into whether your device(s) and networks may have been compromised. Given the criticality of these devices, organizations would be well-advised to adhere to as small a patch window as possible, and to implement a “zero-day” patch cycle if possible.
References
https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html
https://www.fortinet.com/blog/psirt-blogs/fortios-ssl-vulnerability
https://www.fortiguard.com/psirt/FG-IR-18-384
https://docs.fortinet.com/product/fortigate/7.0
https://www.bleepingcomputer.com/news/security/passwords-exposed-for-almost-50-000-vulnerable-fortinet-vpns/
https://us-cert.cisa.gov/ncas/current-activity/2019/10/04/vulnerabilities-exploited-multiple-vpn-applications
https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios
