|Advisory Category||Vulnerability Management|
|Target||Fortinet SSL VPN|
Fortinet SSL-VPN Vulnerability CVE-2018-13379CVE-2018-13379 is a path traversal vulnerability in FortinetOS SSL VPN web portal which allows unauthenticated attackers to download FortiOS system files by means of specially crafted HTTP request. Vulnerability exists only if SSL VPN service (web mode/tunnel mode) is enabled.
Vulnerable path"https://"+ip+"/remote/fgt_lang?lang=</../../../..attacker controlled path>
- FortiOS 6.0 - 6.0.0 to 6.0.4
- FortiOS 5.6 - 5.6.3 to 5.6.7
- FortiOS 5.4 - 5.4.6 to 5.4.12
- The attacker can read any files (including system critical files like :config files/password files) from the server
- Attackers can perform trial and error to search and read sensitive files on the target server.
- Malicious actors can exploit this vulnerability and cause serious downtime resulting in significant financial loss.
- Since VPN endpoints play a crucial role in business infrastructure, compromise of even a single endpoint may lead to take over of the entire domain or network.
- Install vendor upgrades: Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above
- Disable SSL VPN service (Work around): https://www.fortiguard.com/psirt/FG-IR-18-384