[FortiOS] file leaking through SSL VPN language resource request Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-18-384 Final 1 1 2019-05-24T00:00:00 Current version 2019-05-24T00:00:00 2019-05-24T00:00:00 A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests. Information disclosure FortiOS 6.0 - 6.0.0 to 6.0.4FortiOS 5.6 - 5.6.3 to 5.6.7FortiOS 5.4 - 5.4.6 to 5.4.12(other branches and versions than above are not impacted)ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled. Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.Workarounds:As a temporary solution, the only workaround is to totally disable the SSL-VPN service (both web-mode and tunnel-mode) by applying the following CLI commands:config vpn ssl settingsunset source-interfaceendNote that firewall policies tied to SSL VPN will need to be unset first for the above sequence to execute successfully.As an example, when source-interface is "port1" and SSL VPN interface is "ssl.root", the following CLI commands would be needed to ensure "unset source-interface" executes successfully:config vpn ssl settings config authentication-rulepurge (purge all authentication-rules)endendconfig firewall policy delete [policy-id] (SSL VPN policy ID(s) that srcintf is "ssl.root" and dstintf is "port1")endNote that code to exploit this vulnerability in order to obtain the credentials of logged in SSL VPN users was disclosed. In absence of upgrading to the versions listed above, mitigating the impact of this exploit can be done by enabling two-factor authentication for SSL VPN users. An attacker would then not be able to use stolen credentials to impersonate SSL VPN users. 2019-05-24 Initial version2019-06-04 Clarified the impacted versions and workarounds.2019-08-30 FortiOS 5.4 branch (starts from 5.4.6) also affected and fix scheduled..2019-08-30 two-factor authentication mitigation added for the disclosed exploit.2019-08-30 Add public disclosure reference link.2019-11-26 New fix on 5.4.13 released. https://fortiguard.fortinet.com/psirt/FG-IR-18-384 [FortiOS] file leaking through SSL VPN language resource request https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html Fortinet is pleased to thank Meh Chang and Orange Tsai from DEVCORE Security Research Team for reporting this vulnerability under responsible disclosure. CVE-2018-13379 8.9 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:F/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-18-384 [FortiOS] file leaking through SSL VPN language resource request Reference> https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html