Vulnerabilities > CVE-2018-13382 - Incorrect Authorization vulnerability in Fortinet Fortios and Fortiproxy

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
NONE
network
low complexity
fortinet
CWE-863
nessus
NVD
Published: 2019-06-04
Updated: 2024-10-24

Summary

An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests

Vulnerable Configurations

Part Description Count
Application
Fortinet
26
OS
Fortinet
25

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_FORTIOS_FG-IR-18-389.NASL
    descriptionThe remote Mac OS X host is running a version of FortiOS 5.4.1 prior to 5.4.11, 5.6.x prior to 5.6.9 or 6.0.x prior to 6.0.5. It is, therefore, affected by a security bypass vulnerability in the SSL VPN web portal, due to an error when processing HTTP requests. A remote, unauthenticated attacker can exploit this, by sending a specially crafted HTTP request to change the password of an arbitrary SSL VPN web portal user.
    last seen2020-06-01
    modified2020-06-02
    plugin id125894
    published2019-06-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125894
    titleFortinet FortiOS (Mac OS X) 5.4.1 < 5.4.11 / 5.6.x < 5.6.9 / 6.0.x < 6.0.5 SSL VPN Security Bypass (FG-IR-18-389)
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(125894);
  script_version("1.7");
  script_cvs_date("Date: 2020/01/09");

  script_cve_id("CVE-2018-13382");
  script_bugtraq_id(108697);
  script_xref(name:"IAVA", value:"0001-A-0005");

  script_name(english:"Fortinet FortiOS (Mac OS X) 5.4.1 < 5.4.11 / 5.6.x < 5.6.9 / 6.0.x < 6.0.5 SSL VPN Security Bypass (FG-IR-18-389)");
  script_summary(english:"Checks the version of FortiOS.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Mac OS X host is affected by a security bypass vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote Mac OS X host is running a version of FortiOS 5.4.1 prior to 5.4.11, 5.6.x prior to 5.6.9 or 6.0.x prior to
6.0.5. It is, therefore, affected by a security bypass vulnerability in the SSL VPN web portal, due to an error when
processing HTTP requests. A remote, unauthenticated attacker can exploit this, by sending a specially crafted HTTP
request to change the password of an arbitrary SSL VPN web portal user.");
  # https://fortiguard.com/psirt/FG-IR-18-389
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?97f9346d");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Fortinet FortiOS version to 5.4.11, 5.6.9, 6.0.5, 6.2.0 or later. Alternatively, apply one of the
workarounds outlined in the linked advisory");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-13382");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/06/14");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fortinet:fortios");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("macos_forticlient_detect.nbin");
  script_require_keys("installed_sw/FortiClient (macOS)", "Host/MacOSX/Version", "Settings/ParanoidReport");

  exit(0);
}

include('audit.inc');
include('vcf.inc');

if (!get_kb_item('Host/MacOSX/Version')) audit(AUDIT_OS_NOT, 'Mac OS X');
get_kb_item_or_exit('installed_sw/FortiClient (macOS)');
app_info = vcf::get_app_info(app:'FortiClient (macOS)');

# there is a workaround
if (report_paranoia < 2) audit(AUDIT_PARANOID);

constraints = [
  { 'min_version':'5.4.1', 'fixed_version':'5.4.11'},
  { 'min_version':'5.6.0', 'fixed_version':'5.6.9'},
  { 'min_version':'6.0.0', 'fixed_version':'6.0.5'}
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
  • NASL familyFirewalls
    NASL idFORTIOS_FG-IR-18-389.NASL
    descriptionThe remote host is running a version of FortiOS 5.4.1 prior to 5.4.11, 5.6.x prior to 5.6.9 or 6.0.x prior to 6.0.5. It is, therefore, affected by a security bypass vulnerability in the SSL VPN web portal, due to an error when processing HTTP requests. A remote, unauthenticated attacker can exploit this, by sending a specially crafted HTTP request to change the password of an arbitrary SSL VPN web portal user.
    last seen2020-06-01
    modified2020-06-02
    plugin id125888
    published2019-06-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125888
    titleFortinet FortiOS 5.4.1 < 5.4.11 / 5.6.x < 5.6.9 / 6.0.x < 6.0.5 SSL VPN Security Bypass (FG-IR-18-389)

References