Vulnerability Details : CVE-2018-13379

An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.

Vulnerability category: Directory traversal

Published 2019-06-04 21:29:00

Updated 2021-06-03 11:15:08

Source Fortinet, Inc.

View at NVD, CVE.org

CVE-2018-13379 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

Fortinet FortiOS SSL VPN Path Traversal Vulnerability

CISA required action:

Apply updates per vendor instructions.

CISA description:

Fortinet FortiOS SSL VPN web portal contains a path traversal vulnerability that may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.

Added on 2021-11-03 Action due date 2022-05-03

Exploit prediction scoring system (EPSS) score for CVE-2018-13379

Probability of exploitation activity in the next 30 days: 97.42%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2018-13379

FortiOS Path Traversal Credential Gatherer

auxiliary/gather/fortios_vpnssl_traversal_creds_leak

Fortinet FortiOS versions 5.4.6 to 5.4.12, 5.6.3 to 5.6.7 and 6.0.0 to 6.0.4 are vulnerable to a path traversal vulnerability within the SSL VPN web portal which allows unauthenticated attackers to download FortiOS system files through specially crafted HTTP requests. This module exploits this vulnerability to read the usernames and passwords of users currently logged into the FortiOS SSL VPN, which are stored in plaintext in the "/dev/cmdb/sslvpn_websession" file on the VPN server.

More information

CVSS scores for CVE-2018-13379

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	[email protected]
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	[email protected]
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
9.1	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H	3.9	5.2	[email protected]
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: High

CWE ids for CVE-2018-13379

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Assigned by: [email protected] (Primary)

References for CVE-2018-13379

https://www.fortiguard.com/psirt/FG-IR-20-233
https://fortiguard.com/advisory/FG-IR-18-384

Mitigation;Vendor Advisory

Products affected by CVE-2018-13379

Fortinet » Fortios
Versions from including (>=) 5.6.3 and up to, including, (<=) 5.6.7
cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
Matching versions
Fortinet » Fortios
Versions from including (>=) 6.0.0 and up to, including, (<=) 6.0.4
cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
Matching versions