An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.

CVE-2018-13379

As a temporary solution,  the only workaround  is to totally disable the SSL-VPN service (both web-mode and tunnel-mode) by applying the following CLI commands:


config vpn ssl settings
unset source-interface
end

Note that firewall policies tied to SSL VPN will need to be unset first for the above sequence to execute successfully.

As an example, when source-interface is "port1" and SSL VPN interface is "ssl.root", the following CLI commands would be needed to ensure "unset source-interface" executes successfully:



config vpn ssl settings
config authentication-rule
purge (purge all authentication-rules)
end
end

config firewall policy
delete [policy-id] (SSL VPN policy ID(s) that srcintf is "ssl.root" and dstintf is "port1")
end



Note that code to exploit this vulnerability in order to obtain the credentials of logged in SSL VPN users was disclosed. In absence of upgrading to the versions listed above, mitigating the impact of this exploit can be done by enabling two-factor authentication for SSL VPN users. An attacker would then not be able to use stolen credentials to impersonate SSL VPN users. 

As a temporary solution, the only workaround is to totally disable the SSL-VPN service (both web-mode and tunnel-mode) by applying the following CLI commands:
config vpn ssl settings
unset source-interface
end
Note that firewall policies tied to SSL VPN will need to be unset first for the above sequence to execute successfully.
As an example, when source-interface is "port1" and SSL VPN interface is "ssl.root", the following CLI commands would be needed to ensure "unset source-interface" executes successfully:
config vpn ssl settings
config authentication-rule
purge (purge all authentication-rules)
end
end
config firewall policy
delete [policy-id] (SSL VPN policy ID(s) that srcintf is "ssl.root" and dstintf is "port1")
end
Note that code to exploit this vulnerability in order to obtain the credentials of logged in SSL VPN users was disclosed. In absence of upgrading to the versions listed above, mitigating the impact of this exploit can be done by enabling two-factor authentication for SSL VPN users. An attacker would then not be able to use stolen credentials to impersonate SSL VPN users.

temporary solution: disable the SSL-VPN service

Summary
A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.

Impact
Information Disclosure

Affected Products
FortiOS 6.0 - 6.0.0 to 6.0.4

FortiOS 5.6 - 5.6.3 to 5.6.7

FortiOS 5.4 - 5.4.6 to 5.4.12

(other branches and versions than above are not impacted)

ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled.

Solutions
Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.

Summary
A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.
Impact
Information Disclosure
Affected Products
FortiOS 6.0 - 6.0.0 to 6.0.4
FortiOS 5.6 - 5.6.3 to 5.6.7
FortiOS 5.4 - 5.4.6 to 5.4.12
(other branches and versions than above are not impacted)
ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled.
Solutions
Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.

FortiGaurd Labs advisory FG-IR-18-384

Featured CVEs

Feed of the featured CVEs from Vulcan Remedy Cloud.

Vulcan Remedy Cloud - Featured CVEs

Thank you for downloading from Remedy Cloud!

Please fill out the form to download the CSV

Your Script is On It's Way!

Tell us where to send the script

Your Email Was Successfully Sent!

Email

Your Name

Your fix has been sent successfully!

Suggest a Fix

Search for a CVE below to see all the available fixes

Remedy Cloud

Loading - Vulcan Remedy Cloud

The page you are looking for was moved, removed, renamed or might never existed.

CVE-2018-13379

2 fixes found:

Workaround

temporary solution: disable the SSL-VPN service

Version Update

FortiGaurd Labs advisory FG-IR-18-384