Aperçu
A critical path traversal vulnerability in Fortinet FortiOS and FortiProxy SSL VPN web portal allows unauthenticated attackers to download arbitrary system files through crafted HTTP requests. This vulnerability has been extensively exploited in the wild and is listed in the CISA Known Exploited Vulnerabilities catalog. La vulnérabilité a été divulguée le June 4, 2019. CISA a identifié CVE-2018-13379 comme étant exploitée et est connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
The FortiOS SSL VPN web portal fails to properly validate and sanitize HTTP request paths, allowing attackers to use path traversal sequences (such as '../' and encoded variants) to access files outside the intended web root directory. This affects both the FortiOS operating system and FortiProxy appliances, which share similar vulnerable code in their SSL VPN implementations. The vulnerability does not require authentication and can be exploited remotely via standard HTTP GET or POST requests.
La vulnérabilité est classifiée comme CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 7.5 (HIGH) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indiquant sa nature high.
Impact
Attackers can download sensitive system files from the affected FortiOS or FortiProxy appliances without authentication. This includes configuration files, system databases, logs, SSL certificates, and potentially authentication credentials. Particularly critical is the ability to extract the FortiOS system configuration file (typically located at /etc/config/system.conf or similar) which may contain administrative credentials, VPN user accounts, and other sensitive configuration data. The extracted information can be used for further attacks, privilege escalation, or lateral movement within target networks. This vulnerability has been actively exploited by multiple threat actors since its public disclosure.
Mitigation et contournements
Apply the security patches from Fortinet immediately. Visit https://www.fortinet.com/support/product-downloads for the latest firmware versions. For FortiOS, ensure your appliance is updated to a patched version. For managed devices, this may require coordination with your managed service provider. Les versions suivantes incluent les correctifs nécessaires : FortiOS 6.0.5 and later, FortiOS 5.6.8 and later, FortiOS 5.4.13 and later, FortiProxy 2.0.1 and later, FortiProxy 1.2.9 and later, FortiProxy 1.1.7 and later, FortiProxy 1.0.8 and later.
Comme contournements temporaires : restrict network access to the ssl vpn portal to trusted ip addresses or networks using firewall rules. implement ip-based access control lists (acls) that limit which hosts can reach the ssl vpn web interface.; disable the ssl vpn web portal if not required for business operations. some organizations may be able to use vpn client software exclusively instead of the web portal., et monitor access logs for suspicious patterns indicating exploitation attempts, such as requests containing '../' or url-encoded path traversal sequences (e.g., '..%2f', '..%5c')..
Recommandation de CISA : Apply updates per vendor instructions.
Ressources additionnelles
Source : Ce rapport a été généré par IA
