CVE-2018-13382 vulnerability in Fortinet Products
Published on June 4, 2019
An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests
Known Exploited Vulnerability
This Fortinet FortiOS and FortiProxy Improper Authorization vulnerability is part of CISA's list of Known Exploited Vulnerabilities. An Improper Authorization vulnerability in Fortinet FortiOS and FortiProxy under SSL VPN web portal allows an unauthenticated attacker to modify the password.
The following remediation steps are recommended / required by July 10, 2022: Apply updates per vendor instructions.
Vulnerability Analysis
CVE-2018-13382 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.
What is an AuthZ Vulnerability?
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
CVE-2018-13382 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2018-13382
You can be notified by stack.watch whenever vulnerabilities like CVE-2018-13382 are published in these products:
What versions are vulnerable to CVE-2018-13382?
- Fortinet Fortios Version 6.0.0 through 6.0.4
- Fortinet Fortios Version 5.4.1 through 5.4.10
- Fortinet Fortios Version 5.6.0 through 5.6.8
- Fortinet Fortiproxy Version 2.0.0
- Fortinet Fortiproxy Fixed in Version 1.2.9