CVE-2018-13383
published 2019-05-29CVE-2018-13383: A heap buffer overflow in Fortinet FortiOS 6.0.0 through 6.0.4, 5.6.0 through 5.6.10, 5.4.0 through 5.4.12, 5.2.14 and earlier and FortiProxy 2.0.0, 1.2.8 and…
PriorityP181medium6.5CVSS 3.1
AVNACLPRNUIRSUCNINAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-07-10
Exploited in the wild
EPSS
33.65%
98.2th percentile
A heap buffer overflow in Fortinet FortiOS 6.0.0 through 6.0.4, 5.6.0 through 5.6.10, 5.4.0 through 5.4.12, 5.2.14 and earlier and FortiProxy 2.0.0, 1.2.8 and earlier in the SSL VPN web portal may cause the SSL VPN web service termination for logged in users due to a failure to properly handle javascript href data when proxying webpages.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | fortinet | — | — |
| fortinet | fortinet_fortios_and_fortiproxy | — | — |
| fortinet | fortios | — | — |
| fortinet | fortios | >= 5.2.0 < 5.2.15 | 5.2.15 |
| fortinet | fortios | >= 5.4.0 < 5.4.13 | 5.4.13 |
| fortinet | fortios | >= 5.6.0 < 5.6.11 | 5.6.11 |
| fortinet | fortios | >= 6.0.0 < 6.0.5 | 6.0.5 |
| fortinet | fortiproxy | < 1.2.9 | 1.2.9 |
| fortinet | fortiproxy | — | — |
| fortinet | fortiproxy | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandpython -c
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FortiOS SSL VPN - Remote Code Execution (CVE-2018-13383)"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|3c|a href=|22|javascript:void|28|0|29 3b|AAA"; depth:33; fast_pattern; pcre:"/A{1000}/R"; content:"python -c"; distance:0; content:"socket"; distance:0; reference:cve,CVE-2018-13383; reference:url,blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html; classtype:attempted-admin; sid:2027891; rev:3; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2019_08_14, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)bytes
|3c|a href=|22|javascript:void|28|0|29 3b|AAA
- →Exploit payload is delivered in an HTTP 200 response body containing a crafted 'javascript:void(0)' href followed by ~1000 'A' characters (heap overflow padding), then a python reverse-shell command referencing 'socket'. Detect on the response path (to_client), not the request.
- →Exploitation requires an authenticated SSL VPN user to visit a specifically-crafted and proxied webpage; the overflow is triggered by malformed JavaScript href content in proxied pages. ↗
- →The vulnerability is classified as CWE-787 (Out-of-bounds Write) in the SSL VPN web portal component; monitor for abnormal SSL VPN web service crashes or terminations as a potential indicator of exploitation attempts. ↗
- ·Only authenticated SSL VPN users are at risk of triggering RCE; unauthenticated users can only cause service termination (DoS). Ensure SSL VPN authentication is enforced and monitor for anomalous authenticated sessions. ↗
- ·FortiGuard signatures have been deployed to monitor attack traffic in the wild; ensure FortiGuard signature updates are current in addition to firmware patching. ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
vulncheck4.3MEDIUM
cisa6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Fortinet FortiOS and FortiProxy Out-of-bounds Write
cisa·2022-01-10·CVSS 6.5
CVE-2018-13383 [MEDIUM] CWE-787 Fortinet FortiOS and FortiProxy Out-of-bounds Write
Vulnerability: Fortinet FortiOS and FortiProxy Out-of-bounds Write
Affected: Fortinet FortiOS and FortiProxy
A heap buffer overflow in Fortinet FortiOS and FortiProxy may cause the SSL VPN web service termination for logged in users.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-13383
Remediation Due Date: 2022-07-10
Fortinet
A heap buffer overflow in Fortinet FortiOS 6.0.0 through 6.0.4, 5.6.0 through 5.6.10, 5.4.0 through 5.4.12, 5.2.14 and e...
vendor_fortinet·2019-05-29·CVSS 4.3
CVE-2018-13383 [MEDIUM] CWE-787 A heap buffer overflow in Fortinet FortiOS 6.0.0 through 6.0.4, 5.6.0 through 5.6.10, 5.4.0 through 5.4.12, 5.2.14 and e...
FG-IR-18-388: A heap buffer overflow in Fortinet FortiOS 6.0.0 through 6.0.4, 5.6.0 through 5.6.10, 5.4.0 through 5.4.12, 5.2.14 and e...
A heap buffer overflow in Fortinet FortiOS 6.0.0 through 6.0.4, 5.6.0 through 5.6.10, 5.4.0 through 5.4.12, 5.2.14 and earlier and FortiProxy 2.0.0, 1.2.8 and earlier in the SSL VPN web portal may cause the SSL VPN web service termination for logged in users due to a failure to properly handle javascript href data when proxying webpages.
CVEs: CVE-2018-13383
CWEs: CWE-787
CVSS: 4.3 (medium)
Affected products: FortiOS, FortiProxy, Fortinet
Fortinet
A heap buffer overflow in Fortinet FortiOS 6.0.0 through 6.0.4, 5.6.0 through 5.6.10, 5.4.0 through 5.4.12, 5.2.14 and e...
vendor_fortinet·2019-05-29·CVSS 4.3
CVE-2018-13383 [MEDIUM] CWE-787 A heap buffer overflow in Fortinet FortiOS 6.0.0 through 6.0.4, 5.6.0 through 5.6.10, 5.4.0 through 5.4.12, 5.2.14 and e...
FG-IR-20-229: A heap buffer overflow in Fortinet FortiOS 6.0.0 through 6.0.4, 5.6.0 through 5.6.10, 5.4.0 through 5.4.12, 5.2.14 and e...
A heap buffer overflow in Fortinet FortiOS 6.0.0 through 6.0.4, 5.6.0 through 5.6.10, 5.4.0 through 5.4.12, 5.2.14 and earlier and FortiProxy 2.0.0, 1.2.8 and earlier in the SSL VPN web portal may cause the SSL VPN web service termination for logged in users due to a failure to properly handle javascript href data when proxying webpages.
CVEs: CVE-2018-13383
CWEs: CWE-787
CVSS: 4.3 (medium)
Affected products: FortiOS, FortiProxy, Fortinet
GHSA
GHSA-cjc8-2cq5-7jq7: A heap buffer overflow in Fortinet FortiOS all versions below 6
ghsa_unreviewed·2022-05-24
CVE-2018-13383 [MEDIUM] CWE-119 GHSA-cjc8-2cq5-7jq7: A heap buffer overflow in Fortinet FortiOS all versions below 6
A heap buffer overflow in Fortinet FortiOS all versions below 6.0.5 in the SSL VPN web portal may cause the SSL VPN web service termination for logged in users due to a failure to properly handle javascript href data when proxying webpages.
VulnCheck
Fortinet FortiOS and FortiProxy Out-of-bounds Write
vulncheck·2018·CVSS 4.3
CVE-2018-13383 [MEDIUM] CWE-787 Fortinet FortiOS and FortiProxy Out-of-bounds Write
Fortinet FortiOS and FortiProxy Out-of-bounds Write
A heap buffer overflow in Fortinet FortiOS and FortiProxy may cause the SSL VPN web service termination for logged in users.
Affected: Fortinet FortiOS and FortiProxy
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-07-10
Suricata
ET EXPLOIT FortiOS SSL VPN - Remote Code Execution (CVE-2018-13383)
suricata·2019-08-14·CVSS 4.3
CVE-2018-13383 [MEDIUM] ET EXPLOIT FortiOS SSL VPN - Remote Code Execution (CVE-2018-13383)
ET EXPLOIT FortiOS SSL VPN - Remote Code Execution (CVE-2018-13383)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FortiOS SSL VPN - Remote Code Execution (CVE-2018-13383)"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|3c|a href=|22|javascript:void|28|0|29 3b|AAA"; depth:33; fast_pattern; pcre:"/A{1000}/R"; content:"python -c"; distance:0; content:"socket"; distance:0; reference:cve,CVE-2018-13383; reference:url,blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html; classtype:attempted-admin; sid:2027891; rev:3; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2019_08_14, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major
No public exploits indexed.
Tenable
Hold the Door: Why Organizations Need to Prioritize Patching SSL VPNs
blogs_tenable·2021-08-25
Hold the Door: Why Organizations Need to Prioritize Patching SSL VPNs
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Fortinet
FortiOS and SSL Vulnerabilities
blogs_fortinet·2019-08-28·CVSS 9.1
[CRITICAL] FortiOS and SSL Vulnerabilities
PSIRT BLOGS
FortiOS and SSL Vulnerabilities
By Fortinet | August 28, 2019
At the recent Black Hat 2019 conference held in Las Vegas this past August 3-8, security researchers discussed their discovery of security vulnerabilities that impacted several security vendors, including Fortinet. All of the vulnerabilities impacting Fortinet were fixed in April and May of 2019.
SSL VPN Vulnerabilities
Two of the vulnerabilities directly affected Fortinet’s implementation of SSL VPN. They are:
CVE-2018-13379 (FG-IR-18-384) – This is a path traversal vulnerability in the FortiOS SSL VPN web portal that could potentially allow an unauthenticated attacker to download files through specially crafted HTTP resource requests.
CVE-2018-13383 (FG-IR-18-388) – This heap buffer overflow vulnerability in t
Tenable
CVE-2018-13379, CVE-2019-11510: FortiGate and Pulse Connect Secure Vulnerabilities Exploited In the Wild
blogs_tenable·2019-08-27·CVSS 9.1
[CRITICAL] CVE-2018-13379, CVE-2019-11510: FortiGate and Pulse Connect Secure Vulnerabilities Exploited In the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
2019-05-29
Published
2022-01-10
Added to CISA KEV
Exploited in the wild