Lucene search

K
attackerkbAttackerKBAKB:35B88369-C440-49C0-98FF-C50E258FB32C
HistoryJun 04, 2019 - 12:00 a.m.

CVE-2018-13379 Path Traversal in Fortinet FortiOS

2019-06-0400:00:00
attackerkb.com
2029

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

An Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.

Recent assessments:

bulw4rk at March 25, 2020 8:04pm UTC reported:

Description

Due to a pre-authenticated Path Trasversal vulnerability under the SSL VPN portal on FortiOS, an attacker is able to pull arbitrary system files from the file system. One of the most critical files which an attacker may pull is “sslvpn_websessions” which contains session information including usernames and password.

Once the attacker has obtained the credentials from this file, he can authenticated with those credentials, compromising the corporate perimeter.

Mitigation

  • Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.

  • Enable 2FA. Note the attacker will not be able to log in to the VPN, but the obtained credentials are still valid (potencial domain creds) to access corporate mail, etc.

Affected Systems

  • FortiOS 6.0: 6.0.0 to 6.0.4

  • FortiOS 5.6: 5.6.3 to 5.6.7

  • FortiOS 5.4: 5.4.6 to 5.4.12

NOTE: Only if the SSL VPN service (web-mode or tunnel-mode) is enabled.

PoC

There are some public working exploits for this vulnerability, targeting the “sslvpn_websessions” system file.

An attacker would access the following URL:

  • https://`<IP_ADDRESS>`/remote/fgt_lang?lang=/…/…/…/…//////////dev/cmdb/sslvpn_websession

And after some parsing to the binary file, something like the following output would be obtained:

LOGO

NOTE: Example image obtained from <https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/&gt;

gwillcox-r7 at November 04, 2020 4:04pm UTC reported:

Description

Due to a pre-authenticated Path Trasversal vulnerability under the SSL VPN portal on FortiOS, an attacker is able to pull arbitrary system files from the file system. One of the most critical files which an attacker may pull is “sslvpn_websessions” which contains session information including usernames and password.

Once the attacker has obtained the credentials from this file, he can authenticated with those credentials, compromising the corporate perimeter.

Mitigation

  • Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.

  • Enable 2FA. Note the attacker will not be able to log in to the VPN, but the obtained credentials are still valid (potencial domain creds) to access corporate mail, etc.

Affected Systems

  • FortiOS 6.0: 6.0.0 to 6.0.4

  • FortiOS 5.6: 5.6.3 to 5.6.7

  • FortiOS 5.4: 5.4.6 to 5.4.12

NOTE: Only if the SSL VPN service (web-mode or tunnel-mode) is enabled.

PoC

There are some public working exploits for this vulnerability, targeting the “sslvpn_websessions” system file.

An attacker would access the following URL:

  • https://`<IP_ADDRESS>`/remote/fgt_lang?lang=/…/…/…/…//////////dev/cmdb/sslvpn_websession

And after some parsing to the binary file, something like the following output would be obtained:

LOGO

NOTE: Example image obtained from <https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/&gt;

ccondon-r7 at November 22, 2020 6:52pm UTC reported:

Description

Due to a pre-authenticated Path Trasversal vulnerability under the SSL VPN portal on FortiOS, an attacker is able to pull arbitrary system files from the file system. One of the most critical files which an attacker may pull is “sslvpn_websessions” which contains session information including usernames and password.

Once the attacker has obtained the credentials from this file, he can authenticated with those credentials, compromising the corporate perimeter.

Mitigation

  • Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.

  • Enable 2FA. Note the attacker will not be able to log in to the VPN, but the obtained credentials are still valid (potencial domain creds) to access corporate mail, etc.

Affected Systems

  • FortiOS 6.0: 6.0.0 to 6.0.4

  • FortiOS 5.6: 5.6.3 to 5.6.7

  • FortiOS 5.4: 5.4.6 to 5.4.12

NOTE: Only if the SSL VPN service (web-mode or tunnel-mode) is enabled.

PoC

There are some public working exploits for this vulnerability, targeting the “sslvpn_websessions” system file.

An attacker would access the following URL:

  • https://`<IP_ADDRESS>`/remote/fgt_lang?lang=/…/…/…/…//////////dev/cmdb/sslvpn_websession

And after some parsing to the binary file, something like the following output would be obtained:

LOGO

NOTE: Example image obtained from <https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/&gt;

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

Related for AKB:35B88369-C440-49C0-98FF-C50E258FB32C