Fortinet FortiOS SSL VPN Multiple Cross-Site Scripting Vulnerabilities (CVE-2018-13379,CVE-2018-13380,CVE-2018-13381,CVE-2018-13382,CVE-2018-13383)

Summary:

Amidst the global lock-down environment, hackers have come forward to use SSL VPN vulnerabilities and gets lucrative. Hackers have targeted Pulse Secure, Fortinet, Palo Alto Networks, and Citrix VPNs to hack into large companies., throughout the previous year (which already Qualys have protection covered) and again this time they have come up with FortiOS SSL VPN as target. Multiple pre and post auth SSL VPN vulnerabilities have been observed over the wild, in Fortigate SSL VPN devices.

Description:

There are more than 480k SSL VPN servers operating on the internet and is common in Asia and Europe. One can identify it from the URL /remote/login.

Fortigate compiles all the programs and conf files into a single binary, which makes the /bin/init huge. The Web Daemon provide 2 web interfaces running on the Fortigate. One is for the admin interface, handled with /bin/httpsd on the port 443. The other is normal user interface, handled with /bin/sslvpnd on the port 4433 by default. Generally, the admin page should be restricted from the internet, so we can only access the user interface.

A brief of five reported CVEs for FortiOS SSL VPN are:

CVE-2018-13379: Pre-auth arbitrary file reading*

A pre-authentication arbitrary file read vulnerability CVE-2018-13379, in the way FortiOS attempts to request a language file from the system.   A session file ‘sslvpn_websession,’ that contains a username and plaintext password on a vulnerable system becomes readable on exploitation.

There is no protection, but a file extension appended automatically. It seems like one can only read json file. However, we can abuse the feature of By manipulating snprintf one can trick to exceed the buffer size and strip .json file the. Then one can read whatever we want.

snprintf(s, 0x40, “/migadmin/lang/%s.json”, lang);

CVE-2018-13380: Pre-auth XSS

*****************************************************************************

  • /remote/error?errmsg=ABABAB–%3E%3Cscript%3Ealert(1)%3C/script%3E
  • /remote/loginredir?redir=6a6176617363726970743a616c65727428646f63756d656e742e646f6d61696e29
  • /message?title=x&msg=%26%23<svg/onload=alert(1)>;

*****************************************************************************

CVE-2018-13381: Pre-auth heap overflow

First the server calculates the buffer length of encoded string while encoding HTML entities code. Secondly, it encodes into the buffer. In the calculation stage, for example, encode string for < is < and this should occupy 5 bytes. If it encounter anything starts with &#, such as <, it consider there is a token already encoded, and count its length directly. If we input a malicious string like &#<<<;, the < is still encoded into <, so the result should be &#<<<;! This is much longer than the expected length 6 bytes, so it leads to a heap overflow.

CVE-2018-13382: The magic backdoor*

A special parameter called magic was found in the login page. Once the parameter meets a hardcoded string, one can modify any user’s password. However, an attacker would need to know what the “magic” string is in order to reset a password.

CVE-2018-13383: Post-auth heap overflow

This is a vulnerability on the WebVPN feature. While parsing JavaScript in the HTML, it tries to copy content into a buffer with the following code:

memcpy(buffer, js_buf, js_buf_len);

The buffer size is fixed to 0x2000, but the input string is unlimited. Hence, it leads to heap overflow. When an attacker instructs the SSL VPN to proxy to an attacker-controlled web server hosting an exploit file, this vulnerability gets triggered.

Image Source: Meh Chang and Orange Tsai

The PoC can be divided into three parts., viz., Fake SSL structure, ROP chain and Overflow string that can be understood in detail here.

As an update to FortiOS and according to April ’21 CISA update, CISA warn users and administrators of the likelihood that advanced persistent threat (APT) actors are actively exploiting known Fortinet FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.

Affected Products:

FortiOS 6.0.0 to 6.0.4

FortiOS 5.6.0 to 5.6.7

FortiOS 5.4 and below

Advisory:

https://fortiguard.com/psirt/FG-IR-18-383

https://fortiguard.com/psirt/FG-IR-18-384

https://fortiguard.com/psirt/FG-IR-18-387

https://fortiguard.com/psirt/FG-IR-18-388

https://fortiguard.com/psirt/FG-IR-18-389

https://www.fortiguard.com/psirt/FG-IR-19-037

Mitigation:

NOTE:* Vulnerable only when SSL VPN service is enabled.

Fortinet has provided workarounds, which can be found in the advisory pages listed in the table above. Please note that some of the workarounds include disabling the SSL-VPN service entirely.

Fortigate has updated the patches and released for CVE-2018-13379,CVE-2018-13380,CVE-2018-13381,CVE-2018-13382,CVE-2018-13383, CVE-2020-12812, and CVE-2019-5591.

Qualys customers can scan their network with QID(s)# 43703,13544, 43825, and 43769 to detect vulnerable assets. Kindly continue to follow on Qualys Threat Protection for more coverage on vulnerabilities.

Workaround Detection

Qualys Policy Compliance customers can evaluate workaround for issues of CVE-2018-13379, CVE-2018-13380, CVE-2018-13381, CVE-2018-13382 and CVE-2018-13383 by following Control

20010    Status of the source interface setting for SSL-VPN

As Pass condition, please make sure there’s no “source-interface” related settings set.

References & Sources:

  • http://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html
  • https://twitter.com/codewhitesec/status/1145967317672714240
  • https://www.exploit-db.com/exploits/47287
  • https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/
  • https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios

Leave a Reply

Your email address will not be published. Required fields are marked *