On May 24, 2019, Fortinet published an advisory stating that certain versions of their FortiOS software are vulnerable to a path traversal attack which allows an attacker to download system files through specially crafted HTTP requests. The vulnerability is only present when the SSL VPN service is enabled – either web-mode or tunnel-mode. The vulnerable FortiOS versions and the corresponding patched versions are:
- FortiOS 6.0.0 to 6.0.4
- Patched version: 6.0.5 or above
- FortiOS 5.6.3 to 5.6.7
- Patched version: 5.6.8 or above
- FortiOS 5.4.6 to 5.4.12
- Patched version: 5.4.13 (upcoming)
CoNetrix Security Penetration Test engineers have confirmed this vulnerability can be used to download usernames and passwords from FortiGate devices. The usernames and passwords can then be used to establish an SSL VPN connection which would give an attacker access to internal networks and systems.
CoNetrix strongly recommends all customers ensure the patched versions of FortiOS listed above are installed on all Fortinet devices that have the SSL VPN service enabled.
CoNetrix Technology customers with managed service agreements have already been updated to the FortiOS version to protect against the vulnerability.
References:
https://fortiguard.com/psirt/FG-IR-18-384
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379