Shodan and CVE-2018-13379, 4 years later

Published by Reza Rafati on

It has been 4 years since CVE-2018-13379 and you got to love Shodan, as a simply query to find Fortinet devices quickly gave me over 500000 results. 531309 results to be exact.

I do hope by now, that you know that once I find something, I do share it on the Cyberwarzone site, so please take a look below for the Shodan query which will give you the 531309 Fortinet devices that are connected to the web.

Shodan query

  • http.html_hash:-1454941180

Back to CVE-2018-13379

Once we take a look at the CVE, it is explained that there is a path traversal vulnerability which affects Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7.

It is further explained that the Fortinet SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.

Impact of CVE-2018-13379

The Groove ransomware gang had found 87000 vulnerable devices, and had collected credentials from them. By having these credentials, they could directly access top tier companies, but instead, they decided to leak the data to the public.

Proof of concept codes

PoC code showing the used path traversal string

Aside of Shodan, we must pay our respect to Github as they remain a wonderful source to find Proof of Concept attacks. I did a quick search on Github and of course, there were some nice hits that I will list down below.

PoC for CVE-2018-13379

Is it back?

Well, it never was gone. The thing with people and systems, is that people are lazy, don’t read or simply don’t care. The image below shows the Twitter trend on the CVE and once there is a rise, you can calculate that there is a higher chance that the CVE might be doing a lot of harm again.

Image from CVESTALKER on CVE-2018-13379

Recommendations

Please make sure that your devices are updated to the latest version, and if for any reason your system is vulnerable, make sure that you update it and perform a password reset on all of the accounts. Follow the advisories provided by searching the web for CVE-2018-13379.

Share this information

Reza Rafati

Founder of Cyberwarzone.com.