Skip to content

Fortinet - FortiOS and SSL Vulnerabilities

At the recent Black Hat 2019 conference held in Las Vegas this past August 3-8, security researchers discussed their discovery of security vulnerabilities that impacted several security vendors, including Fortinet.

SSL VPN Vulnerabilities

Two of the vulnerabilities directly affected Fortinet’s implementation of SSL VPN. They are:

  • CVE-2018-13379 (FG-IR-18-384) – This is a path traversal vulnerability in the FortiOS SSL VPN web portal that could potentially allow an unauthenticated attacker to download files through specially crafted HTTP resource requests. Other files could be read by an attacker using this same path traversal vulnerability.
  • CVE-2018-13383 (FG-IR-18-388) – This heap buffer overflow vulnerability in the FortiOS SSL VPN web portal could cause the SSL VPN web service to terminate for logged in users. It could also potentially allow remote code execution on FortiOS due to a failure to handle JavaScript href content properly. This would require an authenticated user to visit a specifically-crafted and proxied webpage.

Remote Password Change Vulnerability

In addition, it was also discovered that FortiOS included a string of code that had been created for a specific customer request that had been inadvertently bundled into the general FortiOS release. This code enabled a user to change their password when it was close to expiring. However, due to the vulnerability listed above, where remote, unauthenticated attackers could access arbitrary files on targeted systems, this code became accessible and could be potentially used to remotely change the password of an SSL VPN web portal user.

Here are the details:

  • CVE-2018-13382 (FG-IR-18-389) An Improper Authorization vulnerability in the SSL VPN web portal might allow an unauthenticated attacker to change the password of an SSL VPN web portal user using specially crafted HTTP requests.

Remedies

In May, FortiGuard Labs has released patches and signatures for CVE-2018-13379, CVE-2018-13383, and CVE-2018-13382. The errant code string has also been removed from the FortiOS code base. A patch has also been released for all affected versions of FortiOS for this vulnerability.

In addition, we have prepared two FortiGuard signatures that block the exploitation of these vulnerabilities:

  • FortiOS.SSL.VPN.Web.Portal.Password.Improper.Authentication

This signature identifies the code string used to change a user’s password

  • FortiOS.SSL.VPN.Web.Portal.Pathname.Information.Disclosure

This signature addresses CVE-2018-13379, which is a dependence for the post-authentication vulnerability CVE-2018-13383. 

Our customer’s security is our first priority and we urge customers to immediately implement all appropriate patch updates and signatures.

Previous article Fortinet’s FortiWeb Cloud Powers Continent 8’s New WAF-as-a-Service offering

More Fortinet News Posts

  • Fortinet adds new security to SASE platform
    March 22, 2023 The Tech Geeks

    Fortinet adds new security to SASE platform

    Fortinet adds new security, management features to its SASE platform FortiSASE can now link SASE resources to SD-WAN apps via multiple Fortinet SD-WAN hubs. The company has exanded its Secure Private Access offering that ties SASE resources together with SD-WAN-based...

    Read now
  • Fortinet unveils custom ASIC
    March 14, 2023 The Tech Geeks

    Fortinet unveils custom ASIC

    Fortinet unveils custom ASIC to boost firewall performance, efficiency Fortinet’s new custom chip, the FortiSP5, will power its converged network and security devices. Fortinet is introducing a new ASIC that promises to meld the security and network functions of its...

    Read now