cbcvebase.
CVE-2018-13383
published 2019-05-29

CVE-2018-13383: A heap buffer overflow in Fortinet FortiOS 6.0.0 through 6.0.4, 5.6.0 through 5.6.10, 5.4.0 through 5.4.12, 5.2.14 and earlier and FortiProxy 2.0.0, 1.2.8 and…

PriorityP181medium6.5CVSS 3.1
AVNACLPRNUIRSUCNINAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-07-10
Exploited in the wild
EPSS
33.65%
98.2th percentile
A heap buffer overflow in Fortinet FortiOS 6.0.0 through 6.0.4, 5.6.0 through 5.6.10, 5.4.0 through 5.4.12, 5.2.14 and earlier and FortiProxy 2.0.0, 1.2.8 and earlier in the SSL VPN web portal may cause the SSL VPN web service termination for logged in users due to a failure to properly handle javascript href data when proxying webpages.

Affected

10 ranges
VendorProductVersion rangeFixed in
fortinetfortinet
fortinetfortinet_fortios_and_fortiproxy
fortinetfortios
fortinetfortios>= 5.2.0 < 5.2.155.2.15
fortinetfortios>= 5.4.0 < 5.4.135.4.13
fortinetfortios>= 5.6.0 < 5.6.115.6.11
fortinetfortios>= 6.0.0 < 6.0.56.0.5
fortinetfortiproxy< 1.2.91.2.9
fortinetfortiproxy
fortinetfortiproxy

Detection & IOCsextracted from sources · hover to see the quote

commandpython -c
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FortiOS SSL VPN - Remote Code Execution (CVE-2018-13383)"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|3c|a href=|22|javascript:void|28|0|29 3b|AAA"; depth:33; fast_pattern; pcre:"/A{1000}/R"; content:"python -c"; distance:0; content:"socket"; distance:0; reference:cve,CVE-2018-13383; reference:url,blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html; classtype:attempted-admin; sid:2027891; rev:3; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2019_08_14, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
|3c|a href=|22|javascript:void|28|0|29 3b|AAA
  • Exploit payload is delivered in an HTTP 200 response body containing a crafted 'javascript:void(0)' href followed by ~1000 'A' characters (heap overflow padding), then a python reverse-shell command referencing 'socket'. Detect on the response path (to_client), not the request.
  • Exploitation requires an authenticated SSL VPN user to visit a specifically-crafted and proxied webpage; the overflow is triggered by malformed JavaScript href content in proxied pages.
  • The vulnerability is classified as CWE-787 (Out-of-bounds Write) in the SSL VPN web portal component; monitor for abnormal SSL VPN web service crashes or terminations as a potential indicator of exploitation attempts.
  • ·Only authenticated SSL VPN users are at risk of triggering RCE; unauthenticated users can only cause service termination (DoS). Ensure SSL VPN authentication is enforced and monitor for anomalous authenticated sessions.
  • ·FortiGuard signatures have been deployed to monitor attack traffic in the wild; ensure FortiGuard signature updates are current in addition to firmware patching.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
vulncheck4.3MEDIUM
cisa6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.