Vulnerabilities > CVE-2018-13384 - Open Redirect vulnerability in Fortinet Fortios

CVSS 5.8 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

NONE

network

fortinet

CWE-601

nessus

NVD

Published: 2019-06-04

Updated: 2019-06-05

Summary

A Host Header Redirection vulnerability in Fortinet FortiOS all versions below 6.0.5 under SSL VPN web portal allows a remote attacker to potentially poison HTTP cache and subsequently redirect SSL VPN web portal users to arbitrary web domains.

Vulnerable Configurations

Part	Description	Count
OS	Fortinet Fortinet Fortios 3.1.0 Fortinet Fortios 3.2.0 Fortinet Fortios 3.3.0 Fortinet Fortios 3.3.3 Fortinet Fortios 3.3.5 Fortinet Fortios 3.3.6 Fortinet Fortios 3.3.7 Fortinet Fortios 3.3.8 Fortinet Fortios 3.3.9 Fortinet Fortios 3.3.10 Fortinet Fortios 3.3.11 Fortinet Fortios 3.3.12 Fortinet Fortios 3.3.13 Fortinet Fortios 3.3.14 Fortinet Fortios 3.4.0 Fortinet Fortios 3.4.1 Fortinet Fortios 3.4.2 Fortinet Fortios 3.4.3 Fortinet Fortios 3.4.4 Fortinet Fortios 3.4.5 Fortinet Fortios 3.5.0 Fortinet Fortios 3.5.1 Fortinet Fortios 3.5.2 Fortinet Fortios 3.5.3 Fortinet Fortios 3.5.4 Fortinet Fortios 3.5.5 Fortinet Fortios 3.5.6 Fortinet Fortios 3.5.7 Fortinet Fortios 3.6.0 Fortinet Fortios 3.6.1 Fortinet Fortios 3.6.2 Fortinet Fortios 3.6.3 Fortinet Fortios 3.6.4 Fortinet Fortios 3.6.5 Fortinet Fortios 3.6.6 Fortinet Fortios 3.7.0 Fortinet Fortios 3.7.1 Fortinet Fortios 3.7.2 Fortinet Fortios 3.7.3 Fortinet Fortios 3.7.4 Fortinet Fortios 3.7.5 Fortinet Fortios 3.7.6 Fortinet Fortios 3.7.7 Fortinet Fortios 3.7.8 Fortinet Fortios 3.7.9 Fortinet Fortios 3.7.10 Fortinet Fortios 4.0.0 Fortinet Fortios 4.0.1 Fortinet Fortios 4.0.2 Fortinet Fortios 4.0.3 Fortinet Fortios 4.0.4 Fortinet Fortios 4.1.0 Fortinet Fortios 4.1.1 Fortinet Fortios 4.1.2 Fortinet Fortios 4.1.3 Fortinet Fortios 4.1.4 Fortinet Fortios 4.1.5 Fortinet Fortios 4.1.6 Fortinet Fortios 4.1.7 Fortinet Fortios 4.1.8 Fortinet Fortios 4.1.9 Fortinet Fortios 4.1.10 Fortinet Fortios 4.1.11 Fortinet Fortios 4.2.0 Fortinet Fortios 4.2.1 Fortinet Fortios 4.2.2 Fortinet Fortios 4.2.3 Fortinet Fortios 4.2.4 Fortinet Fortios 4.2.5 Fortinet Fortios 4.2.6 Fortinet Fortios 4.2.7 Fortinet Fortios 4.2.8 Fortinet Fortios 4.2.9 Fortinet Fortios 4.2.10 Fortinet Fortios 4.2.11 Fortinet Fortios 4.2.12 Fortinet Fortios 4.2.13 Fortinet Fortios 4.2.14 Fortinet Fortios 4.2.15 Fortinet Fortios 4.2.16 Fortinet Fortios 4.3.0 Fortinet Fortios 4.3.1 Fortinet Fortios 4.3.2 Fortinet Fortios 4.3.3 Fortinet Fortios 4.3.4 Fortinet Fortios 4.3.5 Fortinet Fortios 4.3.6 Fortinet Fortios 4.3.7 Fortinet Fortios 4.3.8 Fortinet Fortios 4.3.9 Fortinet Fortios 4.3.10 Fortinet Fortios 4.3.11 Fortinet Fortios 4.3.12 Fortinet Fortios 4.3.13 Fortinet Fortios 4.3.14 Fortinet Fortios 4.3.15 Fortinet Fortios 4.3.16 Fortinet Fortios 4.3.17 Fortinet Fortios 4.3.18 Fortinet Fortios 4.3.19 Fortinet Fortios 5.0 Fortinet Fortios 5.0.0 Fortinet Fortios 5.0.1 Fortinet Fortios 5.0.2 Fortinet Fortios 5.0.3 Fortinet Fortios 5.0.4 Fortinet Fortios 5.0.5 Fortinet Fortios 5.0.6 Fortinet Fortios 5.0.7 Fortinet Fortios 5.0.8 Fortinet Fortios 5.0.9 Fortinet Fortios 5.0.10 Fortinet Fortios 5.0.11 Fortinet Fortios 5.0.12 Fortinet Fortios 5.0.13 Fortinet Fortios 5.0.14 Fortinet Fortios 5.2.0 Fortinet Fortios 5.2.1 Fortinet Fortios 5.2.2 Fortinet Fortios 5.2.3 Fortinet Fortios 5.2.4 Fortinet Fortios 5.2.5 Fortinet Fortios 5.2.6 Fortinet Fortios 5.2.7 Fortinet Fortios 5.2.8 Fortinet Fortios 5.2.9 Fortinet Fortios 5.2.10 Fortinet Fortios 5.2.11 Fortinet Fortios 5.2.12 Fortinet Fortios 5.2.13 Fortinet Fortios 5.4 Fortinet Fortios 5.4.0 Fortinet Fortios 5.4.1 Fortinet Fortios 5.4.2 Fortinet Fortios 5.4.3 Fortinet Fortios 5.4.4 Fortinet Fortios 5.4.5 Fortinet Fortios 5.4.6 Fortinet Fortios 5.4.7 Fortinet Fortios 5.4.8 Fortinet Fortios 5.4.9 Fortinet Fortios 5.4.10 Fortinet Fortios 5.6.0 Fortinet Fortios 5.6.1 Fortinet Fortios 5.6.2 Fortinet Fortios 5.6.3 Fortinet Fortios 5.6.4 Fortinet Fortios 5.6.5 Fortinet Fortios 5.6.6 Fortinet Fortios 5.6.7 Fortinet Fortios 5.6.8 Fortinet Fortios 5.6.9 Fortinet Fortios 5.6.10 Fortinet Fortios 5.6.11 Fortinet Fortios 6.0.0 Fortinet Fortios 6.0.1 Fortinet Fortios 6.0.2 Fortinet Fortios 6.0.3 Fortinet Fortios 6.0.4	159

Common Weakness Enumeration (CWE)

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Common Attack Pattern Enumeration and Classification (CAPEC)

Fake the Source of Data
An adversary provides data under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or it might be an attempt by the adversary to assume the rights granted to another identity. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.

Nessus

NASL family	Firewalls
NASL id	FORTIOS_FG-IR-19-002.NASL
description	The remote host is running a version of FortiOS prior to 5.2.15 or 5.4.0 prior to 6.0.5. It is, therefore, affected by a host header redirection vulnerability in the SSL VPN web portal due to a failure to properly validate HTTP request headers. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP request to redirect SSL VPN web portal users to arbitrary web domains.
last seen	2020-06-01
modified	2020-06-02
plugin id	125889
published	2019-06-14
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/125889
title	Fortinet FortiOS < 5.2.15, 5.4.0 < 6.0.5 SSL VPN web portal Host Header Redirection (FG-IR-19-002)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(125889); script_version("1.3"); script_cvs_date("Date: 2020/01/09"); script_cve_id("CVE-2018-13384"); script_bugtraq_id(108454); script_name(english:"Fortinet FortiOS < 5.2.15, 5.4.0 < 6.0.5 SSL VPN web portal Host Header Redirection (FG-IR-19-002)"); script_summary(english:"Checks the version of FortiOS."); script_set_attribute(attribute:"synopsis", value: "The remote host is affected by a host header redirection vulnerability."); script_set_attribute(attribute:"description", value: "The remote host is running a version of FortiOS prior to 5.2.15 or 5.4.0 prior to 6.0.5. It is, therefore, affected by a host header redirection vulnerability in the SSL VPN web portal due to a failure to properly validate HTTP request headers. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP request to redirect SSL VPN web portal users to arbitrary web domains."); # https://fortiguard.com/psirt/FG-IR-19-002 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4ee519b5"); script_set_attribute(attribute:"solution", value: "Upgrade to Fortinet FortiOS version to 5.2.15, 6.0.5 or 6.2.0 or later. Alternatively, apply one of the workarounds outlined in the linked advisory"); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-13384"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/17"); script_set_attribute(attribute:"patch_publication_date", value:"2019/05/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/06/14"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fortinet:fortios"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Firewalls"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("fortinet_version.nbin"); script_require_keys("Host/Fortigate/version", "Settings/ParanoidReport"); exit(0); } include('audit.inc'); include('vcf.inc'); app_name = 'FortiOS'; app_info = vcf::get_app_info(app:app_name, kb_ver:'Host/Fortigate/version'); # This is only for configurations with SSL VPN web portal enabled. if (report_paranoia < 2) audit(AUDIT_PARANOID); constraints = [ { 'fixed_version' : '5.2.0', 'fixed_display' : '5.2.15, 6.0.5, 6.2.0 or later'}, { 'min_version' : '5.2.0', 'fixed_version' : '5.2.15'}, { 'min_version' : '5.4.0', 'fixed_version' : '6.0.5'} ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);

NASL family	MacOS X Local Security Checks
NASL id	MACOSX_FORTIOS_FG-IR-19-002.NASL
description	The remote Mac OS X host is running a version of FortiOS prior 5.2.15 or 5.4.0 prior to 6.0.5. It is, therefore, affected by a host header redirection vulnerability in the SSL VPN web portal due to a failure to properly validate HTTP request headers. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP request to redirect SSL VPN web portal users to arbitrary web domains.
last seen	2020-06-01
modified	2020-06-02
plugin id	125895
published	2019-06-14
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/125895
title	Fortinet FortiOS (Mac OS X) < 5.2.15, 5.4.0 < 6.0.5 SSL VPN Web Portal Host Header Redirection (FG-IR-19-002)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(125895); script_version("1.3"); script_cvs_date("Date: 2020/01/09"); script_cve_id("CVE-2018-13384"); script_bugtraq_id(108454); script_name(english:"Fortinet FortiOS (Mac OS X) < 5.2.15, 5.4.0 < 6.0.5 SSL VPN Web Portal Host Header Redirection (FG-IR-19-002)"); script_summary(english:"Checks the version of FortiOS."); script_set_attribute(attribute:"synopsis", value: "The remote Mac OS X host is affected by a host header redirection vulnerability."); script_set_attribute(attribute:"description", value: "The remote Mac OS X host is running a version of FortiOS prior 5.2.15 or 5.4.0 prior to 6.0.5. It is, therefore, affected by a host header redirection vulnerability in the SSL VPN web portal due to a failure to properly validate HTTP request headers. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP request to redirect SSL VPN web portal users to arbitrary web domains."); # https://fortiguard.com/psirt/FG-IR-19-002 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4ee519b5"); script_set_attribute(attribute:"solution", value: "Upgrade to Fortinet FortiOS version to 5.2.15, 6.0.5 or 6.2.0 or later. Alternatively, apply one of the workarounds outlined in the linked advisory"); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-13384"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/17"); script_set_attribute(attribute:"patch_publication_date", value:"2019/05/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/06/14"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fortinet:fortios"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("macos_forticlient_detect.nbin"); script_require_keys("installed_sw/FortiClient (macOS)", "Host/MacOSX/Version", "Settings/ParanoidReport"); exit(0); } include('audit.inc'); include('vcf.inc'); if (!get_kb_item('Host/MacOSX/Version')) audit(AUDIT_OS_NOT, 'Mac OS X'); get_kb_item_or_exit('installed_sw/FortiClient (macOS)'); app_info = vcf::get_app_info(app:'FortiClient (macOS)'); # This is only for configurations with SSL VPN web portal enabled. if (report_paranoia < 2) audit(AUDIT_PARANOID); constraints = [ { 'fixed_version' : '5.2.0', 'fixed_display' : '5.2.15, 6.0.5, 6.2.0 or later'}, { 'min_version' : '5.2.0', 'fixed_version' : '5.2.15'}, { 'min_version' : '5.4.0', 'fixed_version' : '6.0.5'} ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);

References

https://fortiguard.com/advisory/FG-IR-19-002