External risk intelligence

Fortinet SSL VPN Password Modification Vulnerability

CVE advisoryKnown Exploit

CVE-2018-13382

An improper authorization vulnerability in Fortinet SSL VPN web portals allows an unauthenticated attacker to change user passwords. This could lead to unauthorized access to an organization's network and data. The business risk is high, as this vulnerability has been exploited in the wild and is associated with ransom

5Halo Surface Signal

Fortinet Fortiproxy

before 1.2.92.0.05.4.1 to before 5.4.115.6.0 to before 5.6.96.0.0 to before 6.0.5

External exposure likelihood

Halo Surface Signal score for CVE-2018-13382

The vulnerability affects the SSL VPN web portal of Fortinet FortiOS and FortiProxy. These services are specifically designed to be public-facing, acting as internet edge gateways to provide remote access, and are reachable from the internet by design in normal deployment configurations.

Horizon Alert

Summary of the vulnerability and why it matters

An authorization flaw exists in the SSL VPN web portal of Fortinet FortiOS and FortiProxy. This weakness allows an unauthorized external attacker to change the password for an SSL VPN user. The potential business impact involves unauthorized access to sensitive information and systems.

SSL VPN web portal
Improper authorization
Compromised user credentials

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit an improper authorization vulnerability in the SSL VPN web portal of affected Fortinet products. The attacker can craft specific HTTP requests to alter an SSL VPN user's password. This could lead to unauthorized access and control over user accounts within the affected systems.

Public-facing SSL VPN web portal.
Unauthenticated attacker sends crafted requests.
Attacker modifies user password, gains control.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows an unauthenticated attacker to modify the password of an SSL VPN web portal user. This could lead to unauthorized access to an organization's internal network and sensitive data. The vulnerability has been exploited in the wild and is associated with ransomware campaigns, indicating a significant threat. Its exploitation is considered likely due to the low complexity and lack of required privileges.

Likely attacker skill: Low
Required access: Unauthenticated, network-accessible
Business risk: High, urgent remediation needed

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The organization should take immediate steps to address a critical security vulnerability affecting its Fortinet FortiOS and FortiProxy systems. This vulnerability allows an unauthenticated attacker to modify the password of an SSL VPN web portal user, potentially leading to unauthorized access and compromise of sensitive data. Addressing this issue requires a structured approach to identify affected systems, mitigate risks, apply vendor-provided fixes, and confirm the effectiveness of these measures.

Find affected Fortinet systems.
Reduce exposure or isolate risk.
Fix, verify, and monitor.

Frequently asked questions

What is Fortinet FortiOS and FortiProxy used for?

Fortinet FortiOS and FortiProxy are software and appliance products that provide network security functions. They are commonly used for features like SSL VPN web portals, which allow users to securely access a private network from the internet. This enables remote work and access to internal resources.

What type of weakness is CVE-2018-13382?

CVE-2018-13382 is an Improper Authorization vulnerability (CWE-863). This means that the software does not correctly verify if a user has the necessary permissions to perform an action, in this case, modifying a user's password through the SSL VPN web portal.

How can an attacker exploit this Fortinet vulnerability?

An attacker can exploit this vulnerability by sending specially crafted HTTP requests to the SSL VPN web portal. They do not need any prior authentication or special privileges. The vulnerability is triggered by these specific requests, not by normal user interactions or access.

Who should be concerned about CVE-2018-13382?

Organizations using Fortinet FortiOS or FortiProxy, particularly those with internet-facing SSL VPN web portals, should be concerned. These systems are designed to be reachable from the internet to provide remote access, making them a potential target for external attackers.

What is the first step to respond to this threat?

The first step for anyone running affected Fortinet technology is to identify all systems that utilize the vulnerable versions of FortiOS or FortiProxy. After identification, reducing the exposure of these systems or isolating them if possible should be considered, followed by applying vendor-provided fixes.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.