FortiOS SSL VPN - Arbitrary File Read (CVE-2018-13379)

Name: FortiOS SSL VPN - Arbitrary File Read (CVE-2018-13379)
Published: 2021-08-18T00:00:00.000Z

Severity
CVE: CVE-2018-13379
CVSSv3 Score: 9.8
Exploitable with Sniper: Yes
Vulnerability description: FortiOS SSL VPN server is affected by an Arbitrary File Read through a Path Traversal (broken limitation of a file path to a restricted folder) vulnerability, located in the fgt_lang endpoint and in the lang parameter. The root cause of this vulnerability consists in insufficient checks on the URL, that an attacker can exploit to leak system files with specially crafted HTTP requests.
Exploit capabilities: Sniper can read arbitrary files from the target system and extract them as evidence.
Risk description: The risk exists that a remote unauthenticated attacker can fully steal the credentials for all users that are present on the ForstOS SSL VPN server.
Recommendation: Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5, 6.2.0 or above.
References: https://www.fortiguard.com/psirt/FG-IR-18-384
Detectable with: Network Scanner
Vuln date: May 2019
Published at: Aug 2021
Updated at: Sep 2021
Software Type: VPN gateway
Vendor: Fortinet
Product: FortiGateway SSL VPN
Codename: Not available