CVE-2018-13384 in FortiOS
Summary
by MITRE
A Host Header Redirection vulnerability in Fortinet FortiOS all versions below 6.0.5 under SSL VPN web portal allows a remote attacker to potentially poison HTTP cache and subsequently redirect SSL VPN web portal users to arbitrary web domains.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/19/2020
The CVE-2018-13384 vulnerability represents a critical host header injection flaw within Fortinet FortiOS SSL VPN web portal implementations across versions prior to 6.0.5. This vulnerability stems from insufficient validation of host headers in HTTP responses, creating an avenue for malicious actors to manipulate the redirection behavior of authenticated users. The flaw specifically affects the SSL VPN web portal functionality where the system fails to properly sanitize or validate the host header parameter in HTTP responses, allowing attackers to inject malicious host values that can be interpreted by user browsers during subsequent requests.
The technical exploitation of this vulnerability occurs through HTTP cache poisoning techniques where attackers can manipulate the host header in HTTP responses to redirect users to malicious domains. When a user authenticates through the SSL VPN portal, the system generates HTTP responses that include host headers which are not properly validated or sanitized. This creates a scenario where an attacker can inject a malicious host value that gets cached by intermediate proxies or browsers, subsequently redirecting all subsequent requests from authenticated users to attacker-controlled domains. The vulnerability operates at the application layer and specifically impacts the HTTP protocol handling within the SSL VPN web portal component of FortiOS.
The operational impact of CVE-2018-13384 extends beyond simple redirection attacks, as it enables sophisticated man-in-the-middle scenarios and credential theft operations. Attackers can leverage this vulnerability to redirect users to phishing sites that mimic legitimate SSL VPN portals, potentially capturing authentication credentials and session tokens. The vulnerability affects the fundamental trust model of the SSL VPN system, as users who have authenticated through legitimate means can be silently redirected to malicious domains without their knowledge. This creates a significant risk for organizations that rely on SSL VPN for secure remote access, as the vulnerability undermines the integrity of the authentication process and can lead to full network compromise.
Organizations affected by this vulnerability should immediately implement the Fortinet patch version 6.0.5 or higher which addresses the host header validation issue through proper input sanitization and validation mechanisms. Network administrators should also deploy additional monitoring solutions to detect anomalous host header patterns in HTTP traffic and implement strict host header validation at proxy and load balancer levels. The vulnerability aligns with CWE-601 and CWE-79, representing URL redirection flaws and cross-site scripting vulnerabilities respectively, and maps to ATT&CK technique T1566 for phishing and T1071 for application layer protocol usage. Security teams should conduct comprehensive network scanning to identify all affected FortiOS versions and implement network segmentation to limit the attack surface of SSL VPN services while ensuring proper certificate validation and host header sanitization across all web applications.