CVE-2018-13382
Published: 04 June 2019
Summary
CVE-2018-13382 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Fortinet Fortios. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-2 (Account Management).
Deeper analysis
CVE-2018-13382 is an improper authorization vulnerability, tracked under CWE-863, that affects the SSL VPN web portal in Fortinet FortiOS versions 6.0.0 through 6.0.4, 5.6.0 through 5.6.8, and 5.4.1 through 5.4.10, as well as FortiProxy versions 2.0.0, 1.2.0 through 1.2.8, 1.1.0 through 1.1.6, and 1.0.0 through 1.0.7. The flaw carries a CVSS v3.1 score of 9.1 and permits unauthorized changes to user credentials through the web portal interface.
An unauthenticated remote attacker can exploit the issue over the network by sending specially crafted HTTP requests to the SSL VPN web portal, enabling modification of an affected user's password. Successful exploitation grants the attacker the ability to change credentials without authentication, resulting in high impact to confidentiality and integrity while availability remains unaffected.
Official Fortinet advisories FG-IR-18-389 and FG-IR-20-231 address the vulnerability and are referenced alongside the CISA Known Exploited Vulnerabilities catalog entry, confirming active exploitation in the wild. Security practitioners should apply the patches or mitigations detailed in those advisories for the listed FortiOS and FortiProxy releases.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-5326
Vulnerability details
An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to modify…
more
the password of an SSL VPN web portal user via specially crafted HTTP requests
- CWE(s)
- KEV Date Added
- 10 January 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks on all requests to the SSL VPN web portal before permitting password modifications, blocking the unauthenticated changes described in the CVE.
Requires explicit account-management authorization for password changes, preventing the unauthorized credential modifications allowed by the improper authorization flaw.
Mandates identification and authentication of non-organizational users before any privileged actions such as password changes on the SSL VPN portal.