CVE-2018-13374
Published: 22 January 2019
Summary
CVE-2018-13374 is a medium-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Fortinet Fortiadc. Its CVSS base score is 4.3 (Medium).
Operationally, ranked in the top 12.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).
Deeper analysis
CVE-2018-13374 is an improper access control vulnerability (CWE-732) affecting Fortinet FortiOS versions 6.0.2, 5.6.7 and earlier as well as FortiADC versions 6.1.0, 6.0.0–6.0.1, and 5.4.0–5.4.4. The flaw resides in the LDAP server connectivity test functionality and permits an authenticated user to obtain the login credentials configured for an LDAP server in FortiGate by redirecting the test request to an attacker-controlled rogue LDAP server.
An attacker with low privileges can exploit the issue over the network with low attack complexity. By supplying a malicious LDAP server address during the connectivity test, the attacker receives the clear-text credentials that FortiGate would otherwise use to bind to the legitimate LDAP directory, resulting in partial disclosure of sensitive configuration data without requiring user interaction.
The FortiGuard advisory FG-IR-18-157 addresses the issue and is referenced in CISA’s Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation. Organizations are advised to apply the patches or configuration updates published in the advisory to prevent credential exposure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-5318
Vulnerability details
A Improper Access Control in Fortinet FortiOS 6.0.2, 5.6.7 and before, FortiADC 6.1.0, 6.0.0 to 6.0.1, 5.4.0 to 5.4.4 allows attacker to obtain the LDAP server login credentials configured in FortiGate via pointing a LDAP server connectivity test request to…
more
a rogue LDAP server instead of the configured one.
- CWE(s)
- KEV Date Added
- 08 September 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved authorizations on the LDAP connectivity test function so that low-privilege users cannot redirect it to a rogue server and obtain stored bind credentials.
Limits the set of users permitted to invoke the LDAP test operation, reducing the population that can trigger credential disclosure.
Enforces information-flow rules that would block transmission of LDAP bind credentials to an unapproved (rogue) destination address.