Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.0775
FortiProxy security updates
4 March 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: FortiProxy
Publisher: Fortiguard
Operating System: Network Appliance
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-22128 CVE-2020-6648 CVE-2019-17655
CVE-2018-13380
Reference: ESB-2020.3787
ESB-2020.2230
ESB-2020.0320
ESB-2019.1891.3
Original Bulletin:
https://fortiguard.com/psirt/FG-IR-20-224
https://fortiguard.com/psirt/FG-IR-20-235
https://fortiguard.com/psirt/FG-IR-20-230
https://fortiguard.com/psirt/FG-IR-20-236
Comment: This bulletin contains four (4) Fortiguard security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
FortiProxy SSL VPN user credential plaintext storage
IR Number : FG-IR-20-224
Date : Feb 26, 2021
Risk : 3/5
CVSSv3 Score : 4.9
Impact : Information Disclosure
CVE ID : CVE-2019-17655
Summary
A cleartext storage in a file or on disk (CWE-313) vulnerability in FortiProxy
SSL VPN may allow an attacker to retrieve a logged-in SSL VPN user's
credentials, should that attacker be able to read the session file stored on
the targeted device's system. To successfully exploit this weakness, another
unrelated weakness (eg: a system file leaking vulnerability) would need to be
exploited first.
Impact
Information Disclosure
Affected Products
FortiProxy version 2.0.0 FortiProxy versions 1.2.9 and below. FortiProxy
versions 1.1.6 and below. FortiProxy versions 1.0.7 and below.
Solutions
Please upgrade to FortiProxy versions 2.0.1 or above. Please upgrade to
FortiProxy versions 1.2.10 or above.
- -----------------------------------------------------------------------------
FortiProxy SSL-VPN Improper Access Control vulnerability through the Quick connection functionality
IR Number : FG-IR-20-235
Date : Feb 26, 2021
Risk : 3/5
CVSSv3 Score : 6.9
Impact : Improper Access Control
CVE ID : CVE-2021-22128
Summary
An improper access control vulnerability in FortiProxy SSL VPN portal may allow
an authenticated, remote attacker to access internal service such as the ZebOS
Shell on the FortiProxy appliance through the Quick Connection functionality.
Impact
Improper Access Control
Affected Products
FortiProxy version 2.0.0 FortiProxy versions 1.2.9 and below. FortiProxy
versions 1.1.6 and below. FortiProxy versions 1.0.7 and below.
Solutions
Please upgrade to FortiProxy versions 2.0.1 or above. Please upgrade to
FortiProxy versions 1.2.10 or above.
Acknowledgement
Internally discovered and reported by the Fortinet PSIRT Team.
- -----------------------------------------------------------------------------
FortiProxy multiple pre-auth XSS vulnerabilities on SSL VPN
IR Number : FG-IR-20-230
Date : Feb 26, 2021
Risk : 3/5
CVSSv3 Score : 4.6
Impact : Cross-site scripting (XSS)
CVE ID : CVE-2018-13380
Summary
An Improper Neutralization of Input During Web Page Generation in the SSL VPN
portal of FortiProxy may allow an unauthenticated, remote attacker to perform a
reflected Cross Site Scripting attack (XSS) by injecting malicious payload in
the error, message or redir parameters.
Impact
Cross-site scripting (XSS)
Affected Products
FortiProxy version 2.0.0 FortiProxy versions 1.2.8 and below. FortiProxy
versions 1.1.6 and below. FortiProxy versions 1.0.7 and below.
Solutions
Please upgrade to FortiProxy versions 2.0.1 or above. Please upgrade to
FortiProxy versions 1.2.9 or above.
Acknowledgement
Fortinet is pleased to thank Meh Chang and Orange Tsai from DEVCORE Security
Research Team for reporting this vulnerability under responsible disclosure.
- -----------------------------------------------------------------------------
Potential sensitive information can be displayed in cleartext in FortiProxy CLI window
IR Number : FG-IR-20-236
Date : Feb 26, 2021
Risk : 3/5
CVSSv3 Score : 5.2
Impact : Information Disclosure
CVE ID : CVE-2020-6648
Summary
A cleartext storage of sensitive information vulnerability in FortiProxy
command line interface may allow an authenticated attacker to obtain sensitive
information such as VPN user's passwords by connecting to FortiProxy CLI and
executing the "diagnose sys ha checksum show" command.
Impact
Information Disclosure
Affected Products
FortiProxy version 2.0.0 FortiProxy versions 1.2.9 and below. FortiProxy
versions 1.1.6 and below. FortiProxy versions 1.0.7 and below.
Solutions
Please upgrade to FortiProxy versions 2.0.1 or above. Please upgrade to
FortiProxy versions 1.2.10 or above.
Acknowledgement
Fortinet is pleased to thank Shaun Farrow for reporting this vulnerability
under responsible disclosure.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYEAjGeNLKJtyKPYoAQiO8w/8ChQYMYNtbJqON5rh7fGjG5pEHZhovmFq
StsFkndzRfNxj18IWepXYD8gE/vTwWGOY87etZ09Y7K5GeDgxVtUPi0D8DOaO4hF
1mO8CqnaIIHZbSBnPJPPWb4JzET8hSlkw4+1aIq0CpMepwt1HAzfrMz2wSyv1PDJ
QXq12hPFPk2hXrjM6J90TbKV93EhYs04STsVPzCv5d/yFqJtjs7H0zidfKL+eLAB
q5oWzePFd2gqqt8SmXOj7w9/HU65aqBa67Dk6ibDXCL0J/TsiSE0nqL+q97SWJ3H
GwC/WyXEf8kTtHhCZeVv+Mbr5VJYf7ndExg0/p4drevWu9cXY1xgS4IZrFGCZVV9
q3sM+AsAtPytXw0wiQ7XZWyH0cC6JC52kKy7nGa1ZSuWGSuUple2gCefZ6qGMu8m
EcJKQVGoxv6XhCx1/eV75an/v2T8XNAI1fm5lmx6YFrsf+w+LHFyXkZ/HcZo7kdn
KZ8FSvrsU0I9mGbxtOWZJDmjzLVgIOqtE5mtM0hRkS4Fv4u2rn9cvF/NTI3dX4sE
uu6dQiOio+21+R8i6QSEhZGev/YCip4oLCyOqZjUOfqyPtvBt5lBO2jJ2wRYrolj
CJkt7kCAn3eIIMXPOszNDL/EEbvNQKFUxccBhsiCqLeuEAt7K3Lz2nwruITG+JNA
tcvuEoC8EyI=
=S7az
-----END PGP SIGNATURE-----