Perch bulletin: FortiOS CVE-2018-13379
Attention FortiOS users: due to an increase in observed incidents, we are urging any organizations utilizing FortiOS products to ensure that their devices are patched to protect against CVE-2018-13379. Remediation and mitigation steps are outlined below.
This critical vulnerability has a CVSS of 9.8 and grabbed headlines at the time of its release in 2018. It reached the news again in November of 2020 when a list of publicly accessible and unpatched FortiOS products was released online.
Multiple notifications from FortiNet, security organizations, and researchers have been sent to affected organizations in the past. However, not all instances have been patched.
Unpatched FortiOS devices are still being abused and, in some cases, have been leveraged into ransomware incidents.
CVE-2018-13379 technical details
CVE-2018-13379 is a path traversal vulnerability in FortiOS that allows unauthenticated HTTP requests to scrape the contents of /dev/cmdb/sslvpn_websession. This path contains plaintext credentials for all active VPN users, along with any synced credentials.
In other words, this exposes not only all normal and administrative users actively utilizing the SSL VPN service but any synced credentials as well, including those from tools like ADsync where further domain credentials are stored. This poses a critical risk.
Verify whether your organization utilizes any FortiOS products with the versions below:
- FortiOS 6.0 - 6.0.0 to 6.0.4
- FortiOS 5.6 - 5.6.3 to 5.6.7
- FortiOS 5.4 - 5.4.6 to 5.4.12
Patch or mitigate any exposure immediately.
If your organization has been exposed, assume breach and look to reset all credentials across the domain.
Perch and the rest of the ConnectWise family are committed to keeping our partners aware of issues like this. Please contact the Perch Security SOC with any questions, including if you are uncertain whether your organization is affected.