Critical Security Advisory: Addressing CVE-2018-13374 Improper Access Control in Fortinet FortiOS and FortiADC
Fortinet FortiOS and FortiADC contain an improper access control vulnerability that allows attackers to obtain the LDAP server login credentials configured in FortiGate by pointing a LDAP server connectivity test request to a rogue LDAP server.
FREQUENTLY ASKED
What is CVE-2018-13374 and why does it matter?
CVE-2018-13374 is an improper access control vulnerability in Fortinet FortiOS and FortiADC. It matters because it allows an authenticated attacker to redirect LDAP connectivity tests to a rogue server. This facilitates the theft of LDAP server login credentials, which can lead to broader network compromise and has been actively exploited by ransomware actors.
Which versions of the product are affected?
The affected versions include FortiOS 6.0.2, 5.6.7 and earlier versions. For FortiADC, the vulnerability impacts versions 6.1.0, 6.0.0 through 6.0.1, and 5.4.0 through 5.4.4. Organizations running these specific releases should immediately verify their firmware status to assess risk exposure.
Has a patch been released for this vulnerability?
Yes, Fortinet has released official patches and security updates to address this issue. The fix involves upgrading to a non-vulnerable firmware version as specified in the FortiGuard advisory FG-IR-18-157. Applying these updates is the primary method for neutralizing the threat of credential redirection via the LDAP test mechanism.
What is the remediation deadline and what it means for compliance?
The remediation deadline was September 29, 2022. For organizations following CISA Binding Operational Directive (BOD) 22-01, this date represents the mandatory cutoff for patching known exploited vulnerabilities. Failure to meet this deadline can result in non-compliance and increased risk of successful ransomware deployment against the infrastructure.
How can I check if my instance is affected?
To check if an instance is affected, administrators should verify the currently installed firmware version of their FortiGate or FortiADC appliance against the list of vulnerable versions (e.g., FortiOS 6.0.2 or below). Additionally, reviewing audit logs for unauthorized LDAP connectivity test requests pointing to unfamiliar IP addresses can help identify potential exploitation attempts.
CVE-2018-13374 is a significant security flaw identified in Fortinet FortiOS and FortiADC appliances, classified under CWE-732: Incorrect Permission Assignment for Critical Resource. With a CVSS score of 4.3 (Medium), it may initially appear less critical than high-severity remote code execution flaws; however, its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog and its observed use in ransomware campaigns elevate its urgency. This vulnerability allows a network-based attacker with low privileges to intercept sensitive LDAP credentials, potentially leading to lateral movement and full domain compromise. Due to its active exploitation status, immediate remediation by the deadline of September 29, 2022, is mandatory for compliant organizations.
Vulnerability Profile
Field
Value
CVE ID
CVE-2018-13374
Affected Product & Versions
FortiOS 6.0.2, 5.6.7 and before; FortiADC 6.1.0, 6.0.0 to 6.0.1, 5.4.0 to 5.4.4
At its core, CVE-2018-13374 is an instance of CWE-732, where the application does not properly restrict access to a critical resource or function. In the context of FortiOS and FortiADC, the "resource" is the LDAP connectivity test mechanism. In a secure environment, the ability to modify infrastructure settings—such as where the device sends authentication requests—should be strictly limited to high-privilege administrators. However, this vulnerability allows a user with "Low" privileges to interact with this diagnostic tool in a way the system did not intend.
The LDAP Redirect Attack Chain
LDAP (Lightweight Directory Access Protocol) is the backbone of identity management for many enterprises. Fortinet devices use LDAP to communicate with Active Directory or other directory services for user authentication. To assist administrators, Fortinet included a "connectivity test" feature that verifies the appliance can reach the configured LDAP server.
The attack chain works as follows:
Initial Access: The attacker gains low-privileged authenticated access to the FortiOS or FortiADC management interface.
Parameter Manipulation: The attacker accesses the LDAP connectivity test utility. Instead of using the legitimate, pre-configured LDAP server address, the attacker provides the IP address or hostname of a rogue LDAP server they control.
Credential Transmission: The Fortinet appliance, lacking sufficient access controls to validate that the test request aligns with the configured infrastructure, initiates a connection to the attacker's server.
Interception: To verify connectivity, the appliance attempts to "bind" (log in) to the rogue LDAP server using the credentials stored in the appliance's configuration. The attacker’s server captures these credentials in cleartext or a reversible format.
Attack Surface and Blast Radius
The attack surface is the web management interface of the affected Fortinet devices. While the CVSS vector indicates that privileges are required (PR:L), in many corporate environments, "low-privileged" accounts are common among IT staff or automated systems. The blast radius is extensive: once an attacker possesses LDAP credentials, they often gain the ability to query the entire Active Directory structure, escalate privileges, and move laterally across the network. This is precisely why ransomware groups leverage such "medium" severity flaws—they provide the keys to the kingdom after an initial foothold is established.
Who Is Affected: Identifying Your Risk Profile
Organizations utilizing FortiGate firewalls or FortiADC load balancers within the specified version ranges are at significant risk. This includes:
Enterprise IT Departments: Managing large-scale identity integrations.
Managed Service Providers (MSPs): Handling multiple client Fortinet environments where a single compromised account could lead to multi-tenant credential theft.
Government Agencies: Specifically those subject to CISA BOD 22-01. The remediation deadline of September 29, 2022, highlights that this is not a theoretical risk but a documented tool in the arsenal of advanced persistent threats (APTs).
If your organization has not updated its Fortinet firmware since late 2018 or early 2019, it is highly probable that your perimeter or internal load balancers remain vulnerable to this specific exploit.
Official Remediation Steps
To eliminate the risk associated with CVE-2018-13374, administrators must follow the official vendor guidance from Fortinet. The primary fix is a firmware upgrade.
Verify Current Version: Check the system dashboard of your FortiOS or FortiADC appliance.
Obtain Official Patches: Download the appropriate firmware from the Fortinet Support Portal. Refer to FG-IR-18-157 for specific build numbers.
Apply Update: Perform the firmware upgrade during a scheduled maintenance window. For FortiOS, it is recommended to move to at least version 6.0.3 or 5.6.8. For FortiADC, move to 6.1.1 or 5.4.5 or higher.
Audit LDAP Configurations: Post-patch, review your LDAP server settings to ensure no unauthorized changes were made during the period of vulnerability.
Rotate LDAP Credentials: As a precautionary measure, rotate the service account credentials used by the Fortinet appliance to connect to your LDAP/Active Directory server. This ensures that any previously intercepted credentials are no longer valid.
Security Best Practices for LDAP and Access Control
Beyond patching, implementing defense-in-depth strategies can mitigate the impact of similar access control vulnerabilities:
Implement the Principle of Least Privilege (PoLP): Ensure that only the absolute minimum number of administrators have access to diagnostic and connectivity tools. Low-privileged users should never have the ability to trigger outbound network requests to arbitrary IP addresses.
Network Segmentation for Management: Place the management interfaces of FortiOS and FortiADC on a dedicated, isolated management VLAN. Access to this VLAN should be restricted via ACLs or a VPN with Multi-Factor Authentication (MFA).
Monitor Outbound LDAP Traffic: Configure your internal firewalls to only allow LDAP traffic (Ports 389, 636) from the Fortinet appliance to the specific, authorized IP addresses of your internal directory servers. Any attempt to reach an external or unknown IP over LDAP should trigger a high-priority security alert.
Use LDAPS (LDAP over SSL/TLS): Always encrypt LDAP traffic. While this doesn't prevent redirection, it is a foundational security requirement for protecting credentials in transit.
Review Audit Logs Regularly: Monitor system logs for LDAP connectivity test events. Look for anomalies where the destination IP does not match your internal infrastructure.
Service Account Hardening: The LDAP service account used by the Fortinet device should have "Read-Only" permissions in the directory and be restricted from logging into sensitive workstations or servers.
Continuous Vulnerability Scanning: Utilize automated tools to track the firmware versions of all network infrastructure components, ensuring that legacy vulnerabilities like CVE-2018-13374 are identified and remediated before they can be exploited.