Fortinet FortiOS 5.4.6 <= 5.4.12 / 5.6.3 < 5.6.8 / 6.0.x < 6.0.5 SSL VPN Directory Traversal (FG-IR-18-384)

#TRUSTED 50ed73c826f3ab379cdf4735e8b65f7d2a77bce949d2df54e1518183ba29d92baa7adc1030b271d6e05309d80e001107b438f5bdb45c2a2571e84bbda285ac9d766ffdb93377197a672ed9537eef7dea44360580baa0b5809b08d8a6209758327b58960eda7fdc90c9c8d06518d68fb63a09cf0e1d8ae0ac57cba1783d6ff956fe1cafcc5ef83301d60d822735b0f091a1134734967b194d1e321e6aecdd907e63b9b620be64a6f338fe91221141d4e0491fe02a9e1be478d616663b3527f5f76f6c9dfca7960b634ba4b6066facb71aa61a51d385cae56d390c242ce0705755a712e302db1a891a5c3ac46219362935a082192167dd67dcb4bc28704dfb30a24f316d7e4fc97670d22999a5bbd024750bb1168ef442923ffc968ddad95cd2297103322d0e2dcfc196babd9d58ddca24988560aa298da0b8b8f1e5d846d3f7f377b0eaecbd9806da25c0a51017ec809fef2829a96d322fe6566cd97927e56825d73f018abf15eff40b05fbab51d5c6ae82852776ee33fc28d7764ebf7b6b7f44dcb815b62fc5cd5f1956cbce29519fc6875a03f0579b222c8983a061f126373a4dd5260e6d39b7f16ac63fc187a7b0afdf37d7ec78a2d233e6daa327eb7e60612b0357e3ec0ae05ff8a908599425edab3fdf1e461121b2430c663a3a4c0f506b1930881eafde49ae7b761eb895c151780e83e5e7354eab9a2bd042b2435137c7
#TRUST-RSA-SHA256 353f53e5e6f6fece6e69e1fb8d54128e25960ec55c19f7b9d492ccefe847099da3a89e0d0ea9f892e44b5d02206d586eb5087def9422527328299ee7446225e69d65d7e128e77009cd685384588bbb939322b6c53066027e7bff2994921fb132415d5a17319c36470ff3dec37cae490f9a3a12e75c9b23758a2b7c4b8ce7a2040d78d304ee4ee4c8e3a1f1011c36a54b90cff520c9047b8ad68bb8ef68a0baf5fe9f8c153261e5507d165d6ee4d3e87a5b33fb78be27bb891c1bc7d400d082cffbf883b6d018f8ab7e2041040635ab630b30a389278f38e46d553b34c3cf05ffcb0d0d83f5c93feb753149677bc24ccb9ab7a3a384c8a743eddba0775e96a7c25256e7c52fc8fc2f8a4588e27e91b8ed0ee18bb49728fa2fb1ed958ea27c46790b5e764dabcb99a4c3313de574f10e1a6554651bfe00deca351d08b1bdb8f7fc82a205d8685a5f1f053467389237e77313ef27dcedc4b6edbea03d8e51bb8a11b6798fbaf9e7aaf9ca24504bc1ecceaf434a84b2a44e3742fbaa0581de59d68fde0c84879d4814a37ec4c06cc197ac50d55185485fb19b7f1b0a5b1939909542e05462441d3fd7531782a5ef16e071a9c01f09a137d837c36eecdadaa526a7bd52b23cdfff1970b1de6222580fe1ec26f1da2c80130d2e487f74e2fbb3d4e1ba6a5a594733f65b8344afbf6ba6cbf76850f7a2bbc4fdfa0c6ef4889ba6258d79
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(125885);
  script_version("1.20");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/30");

  script_cve_id("CVE-2018-13379");
  script_bugtraq_id(108693);
  script_xref(name:"IAVA", value:"0001-A-0002-S");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/03");
  script_xref(name:"CISA-NCAS", value:"AA22-011A");
  script_xref(name:"CEA-ID", value:"CEA-2020-0129");
  script_xref(name:"CEA-ID", value:"CEA-2021-0020");

  script_name(english:"Fortinet FortiOS 5.4.6 <= 5.4.12 / 5.6.3 < 5.6.8 / 6.0.x < 6.0.5 SSL VPN Directory Traversal (FG-IR-18-384)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by a directory traversal vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote host is running a version of FortiOS 5.4.6 prior or equal to 5.4.12, 5.6.3 prior to 5.6.8 or 6.0.x prior to
6.0.5. It is, therefore, affected by a directory traversal vulnerability in the SSL VPN web portal, due to an improper
limitation of a pathname to a restricted Directory. An unauthenticated, remote attacker can exploit this, via a
specially crafted HTTP request, to download arbitrary FortiOS system files.");
  script_set_attribute(attribute:"see_also", value:"https://www.fortiguard.com/psirt/FG-IR-18-384");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Fortinet FortiOS version to 5.6.8, 6.0.5, 6.2.0 or later. Alternatively, apply one of the workarounds
outlined in the linked advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-13379");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"d2_elliot_name", value:"Fortinet FortiGate SSL VPN File Disclosure");
  script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/06/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fortinet:fortios");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Firewalls");

  script_copyright(english:"This script is Copyright (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("fortinet_version.nbin");
  script_require_keys("Host/Fortigate/version");

  exit(0);
}

include('vcf_extras_fortios.inc');

var app_info = vcf::get_app_info(app:'FortiOS', kb_ver:'Host/Fortigate/version');

vcf::fortios::verify_product_and_model(product_name:'FortiGate');

var constraints = [
  { 'min_version' : '5.4.6', 'max_version' : '5.4.12', 'fixed_display' : '5.6.8, 6.0.5, 6.2.0 or later' },
  { 'min_version' : '5.6.3', 'fixed_version' : '5.6.8' },
  { 'min_version' : '6.0.0', 'fixed_version' : '6.0.5' }
];

# diagnose sys top <Delay_in_seconds> <Maximum_lines_to_display> <Iterations_to_run>
# We want to make sure we see all processes and only display it once
# If sslvpnd is not running, host is not currently vulnerable
var workarounds = [{config_command:'diagnose sys top 1 200 1', config_value:'sslvpnd', misc_cmd:TRUE}];

vcf::fortios::check_version_and_report(
  app_info:app_info,
  constraints:constraints,
  workarounds:workarounds,
  show_check:'Run Time:',
  not_equal:TRUE,
  severity:SECURITY_WARNING
);