CVE-2018-13379
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
4Description
An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.
Analysis
Fortinet FortiOS SSL-VPN contains a path traversal vulnerability allowing unauthenticated attackers to download system files including session tokens and credentials, massively exploited from 2019 onward by APT and ransomware groups.
Technical Context
The CWE-22 path traversal in the SSL-VPN web portal allows accessing files outside the intended directory. The critical impact comes from the ability to read /dev/cmdb/sslvpn_websession, which contains plaintext usernames and passwords for VPN sessions, enabling immediate account compromise.
Affected Products
['Fortinet FortiOS 6.0.0 to 6.0.4', 'Fortinet FortiOS 5.6.3 to 5.6.7', 'Fortinet FortiOS 5.4.6 to 5.4.12', 'Fortinet FortiProxy 2.0.0', 'Fortinet FortiProxy 1.2.0 to 1.2.8', 'Fortinet FortiProxy 1.1.0 to 1.1.6', 'Fortinet FortiProxy 1.0.0 to 1.0.7']
Remediation
Upgrade FortiOS immediately. Rotate ALL VPN user credentials after patching. Enable MFA for VPN access. Check for unauthorized access using harvested credentials in authentication logs.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today