CVE-2018-13374
published 2019-01-22CVE-2018-13374: A Improper Access Control in Fortinet FortiOS 6.0.2, 5.6.7 and before, FortiADC 6.1.0, 6.0.0 to 6.0.1, 5.4.0 to 5.4.4 allows attacker to obtain the LDAP server…
PriorityP181medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-09-29
Exploited in the wild
EPSS
38.09%
98.4th percentile
A Improper Access Control in Fortinet FortiOS 6.0.2, 5.6.7 and before, FortiADC 6.1.0, 6.0.0 to 6.0.1, 5.4.0 to 5.4.4 allows attacker to obtain the LDAP server login credentials configured in FortiGate via pointing a LDAP server connectivity test request to a rogue LDAP server instead of the configured one.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | fortiadc | — | — |
| fortinet | fortiadc | — | — |
| fortinet | fortiadc | >= 5.4.0 < 5.4.5 | 5.4.5 |
| fortinet | fortiadc | >= 6.0.0 < 6.0.2 | 6.0.2 |
| fortinet | fortigate | — | — |
| fortinet | fortinet | — | — |
| fortinet | fortios | < 6.0.3 | 6.0.3 |
| fortinet | fortios | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for GET requests to the FortiGate endpoint /p/user/ldap/json/ — this path is used by the exploit to enumerate the existing LDAP server configuration (name, username, port, DN, CA cert) prior to triggering the credential theft. ↗
- →Monitor for GET requests to /api/ldap?json= containing a modified 'server' field pointing to an attacker-controlled IP (i.e., the 'server' value differs from the configured LDAP server) and 'secure':0 — this is the direct exploitation step that redirects the LDAP bind to a rogue server. ↗
- →Detect inbound LDAP bind requests (TCP) from the FortiGate management IP to unexpected external hosts — the exploit sets up a rogue LDAP listener on the attacker's IP to capture cleartext credentials sent by FortiGate. ↗
- →CVE-2018-13374 was observed as an initial access vector in Conti ransomware attack chains alongside CVE-2018-13379; correlate FortiGate exploitation attempts with subsequent BazarLoader activity or lateral movement indicators. ↗
- →The exploit requires a valid (even read-only) FortiGate web UI login session before triggering the vulnerability; alert on successful logins to /logincheck from unusual source IPs followed immediately by requests to /p/user/ldap/json/ and /api/ldap. ↗
- ·The exploit sets 'secure':0 in the crafted LDAP request, meaning it forces an unencrypted LDAP bind. Environments that enforce LDAPS (secure=1 or higher) on all LDAP server objects may reduce the risk of credential interception in transit, but the improper access control flaw (ability to redirect the test to an arbitrary server) still exists in affected versions. ↗
- ·Affected versions span a wide range: FortiOS 6.0.2, 5.6.7 and below; FortiADC 6.1.0, 6.0.0–6.0.1, 5.4.0–5.4.4. Ensure patching covers all product lines, not just FortiOS/FortiGate. ↗
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vulncheck4.3MEDIUM
cisa4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rpmq-q4mw-pc44: A Improper Access Control in Fortinet FortiOS 6
ghsa_unreviewed·2022-05-13
CVE-2018-13374 [HIGH] CWE-732 GHSA-rpmq-q4mw-pc44: A Improper Access Control in Fortinet FortiOS 6
A Improper Access Control in Fortinet FortiOS 6.0.2, 5.6.7 and before, FortiADC 6.1.0, 6.0.0 to 6.0.1, 5.4.0 to 5.4.4 allows attacker to obtain the LDAP server login credentials configured in FortiGate via pointing a LDAP server connectivity test request to a rogue LDAP server instead of the configured one.
VulnCheck
Fortinet FortiOS and FortiADC Improper Access Control Vulnerability
vulncheck·2018·CVSS 4.3
CVE-2018-13374 [MEDIUM] CWE-732 Fortinet FortiOS and FortiADC Improper Access Control Vulnerability
Fortinet FortiOS and FortiADC Improper Access Control Vulnerability
Fortinet FortiOS and FortiADC contain an improper access control vulnerability that allows attackers to obtain the LDAP server login credentials configured in FortiGate by pointing a LDAP server connectivity test request to a rogue LDAP server.
Affected: Fortinet FortiOS and FortiADC
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://news.sophos.com/en-us/2021/02/16/conti-ransomware-attack-day-by-day/; https://www.cisa.gov/sites/default/files/publications/202105251512_Analyst%20Note_Conti%20Ransomware_TLP%20WHITE.pdf; https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-cl
CISA
Fortinet FortiOS and FortiADC Improper Access Control Vulnerability
cisa·2022-09-08·CVSS 4.3
CVE-2018-13374 [MEDIUM] CWE-732 Fortinet FortiOS and FortiADC Improper Access Control Vulnerability
Vulnerability: Fortinet FortiOS and FortiADC Improper Access Control Vulnerability
Affected: Fortinet FortiOS and FortiADC
Fortinet FortiOS and FortiADC contain an improper access control vulnerability that allows attackers to obtain the LDAP server login credentials configured in FortiGate by pointing a LDAP server connectivity test request to a rogue LDAP server.
Required Action: Apply updates per vendor instructions.
Notes: https://www.fortiguard.com/psirt/FG-IR-18-157; https://nvd.nist.gov/vuln/detail/CVE-2018-13374
Remediation Due Date: 2022-09-29
Fortinet
A Improper Access Control in Fortinet FortiOS 6.0.2, 5.6.7 and before, FortiADC 6.1.0, 6.0.0 to 6.0.1, 5.4.0 to 5.4.4 al...
vendor_fortinet·2019-01-22·CVSS 4.3
CVE-2018-13374 [MEDIUM] CWE-732 A Improper Access Control in Fortinet FortiOS 6.0.2, 5.6.7 and before, FortiADC 6.1.0, 6.0.0 to 6.0.1, 5.4.0 to 5.4.4 al...
FG-IR-18-157: A Improper Access Control in Fortinet FortiOS 6.0.2, 5.6.7 and before, FortiADC 6.1.0, 6.0.0 to 6.0.1, 5.4.0 to 5.4.4 al...
A Improper Access Control in Fortinet FortiOS 6.0.2, 5.6.7 and before, FortiADC 6.1.0, 6.0.0 to 6.0.1, 5.4.0 to 5.4.4 allows attacker to obtain the LDAP server login credentials configured in FortiGate via pointing a LDAP server connectivity test request to a rogue LDAP server instead of the configured one.
CVEs: CVE-2018-13374
CWEs: CWE-732
CVSS: 4.3 (medium)
Affected products: FortiADC, FortiGate, FortiOS, Fortinet
No detection rules found.
Tenable
ContiLeaks: Chats Reveal Over 30 Vulnerabilities Used by Conti Ransomware – How Tenable Can Help
blogs_tenable·2022-03-24
ContiLeaks: Chats Reveal Over 30 Vulnerabilities Used by Conti Ransomware – How Tenable Can Help
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Trendmicro
Conti-Ransomware im Rampenlicht
blogs_trendmicro·2021-12-07
Conti-Ransomware im Rampenlicht
## Conti-Ransomware im Rampenlicht
Weil Conti zu den derzeit aktivsten und berüchtigsten Ransomware-Familien gehört, sollten Unternehmen wissen, wie und mit welchen Mittel die Angriffe ablaufen. Wir haben die Einzelheiten und auch ausführliche Gegenmaßnahmen zusammengestellt.
By: Trend Micro Dec 07, 2021 Read time: ( words)
Save to Folio
Originalbeitrag von Trend Micro Research
Weil Conti zu den derzeit aktivsten und berüchtigsten Ransomware-Familien gehört, sollten Unternehmen wissen, wie und mit welchen Mittel die Angriffe ablaufen. Wir haben die Einzelheiten und auch ausführliche Gegenmaßnahmen zusammengestellt.
Conti gilt als Nachfolger der Ryuk Ransomware und ist eine der derzeit berüchtigsten aktiven Ransomware-Familien, die unter anderem als Ransomware-as-a-Service (RaaS) bei
Bugzilla
CVE-2018-1140 libldb: LDAP server crash via distinguishedName
bugzilla·2018-05-21·CVSS 6.5
CVE-2018-1140 [MEDIUM] CVE-2018-1140 libldb: LDAP server crash via distinguishedName
CVE-2018-1140 libldb: LDAP server crash via distinguishedName
As per upstream advisory:
All versions of Samba from 4.8.0 onwards are vulnerable to a denial of service attack when Samba is an Active Directory Domain Controller.
Missing input sanitization checks on some of the input parameters to LDB database layer cause the LDAP server and DNS server to crash when following a NULL pointer.
There is no further vulnerability associated with this error, merely a denial of service.
Discussion:
External Reference:
https://www.samba.org/samba/security/CVE-2018-1140.html
https://bugzilla.samba.org/show_bug.cgi?id=13374
---
Acknowledgments:
Name: Laurent Debomy, Andrej Gessel and Kai Blin (The samba project)
---
Created libldb tracking bugs for this issue:
Affects: fedora-all [bug 1618
2019-01-22
Published
2022-09-08
Added to CISA KEV
Exploited in the wild