Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0775 FortiProxy security updates 4 March 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: FortiProxy Publisher: Fortiguard Operating System: Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-22128 CVE-2020-6648 CVE-2019-17655 CVE-2018-13380 Reference: ESB-2020.3787 ESB-2020.2230 ESB-2020.0320 ESB-2019.1891.3 Original Bulletin: https://fortiguard.com/psirt/FG-IR-20-224 https://fortiguard.com/psirt/FG-IR-20-235 https://fortiguard.com/psirt/FG-IR-20-230 https://fortiguard.com/psirt/FG-IR-20-236 Comment: This bulletin contains four (4) Fortiguard security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- FortiProxy SSL VPN user credential plaintext storage IR Number : FG-IR-20-224 Date : Feb 26, 2021 Risk : 3/5 CVSSv3 Score : 4.9 Impact : Information Disclosure CVE ID : CVE-2019-17655 Summary A cleartext storage in a file or on disk (CWE-313) vulnerability in FortiProxy SSL VPN may allow an attacker to retrieve a logged-in SSL VPN user's credentials, should that attacker be able to read the session file stored on the targeted device's system. To successfully exploit this weakness, another unrelated weakness (eg: a system file leaking vulnerability) would need to be exploited first. Impact Information Disclosure Affected Products FortiProxy version 2.0.0 FortiProxy versions 1.2.9 and below. FortiProxy versions 1.1.6 and below. FortiProxy versions 1.0.7 and below. Solutions Please upgrade to FortiProxy versions 2.0.1 or above. Please upgrade to FortiProxy versions 1.2.10 or above. - ----------------------------------------------------------------------------- FortiProxy SSL-VPN Improper Access Control vulnerability through the Quick connection functionality IR Number : FG-IR-20-235 Date : Feb 26, 2021 Risk : 3/5 CVSSv3 Score : 6.9 Impact : Improper Access Control CVE ID : CVE-2021-22128 Summary An improper access control vulnerability in FortiProxy SSL VPN portal may allow an authenticated, remote attacker to access internal service such as the ZebOS Shell on the FortiProxy appliance through the Quick Connection functionality. Impact Improper Access Control Affected Products FortiProxy version 2.0.0 FortiProxy versions 1.2.9 and below. FortiProxy versions 1.1.6 and below. FortiProxy versions 1.0.7 and below. Solutions Please upgrade to FortiProxy versions 2.0.1 or above. Please upgrade to FortiProxy versions 1.2.10 or above. Acknowledgement Internally discovered and reported by the Fortinet PSIRT Team. - ----------------------------------------------------------------------------- FortiProxy multiple pre-auth XSS vulnerabilities on SSL VPN IR Number : FG-IR-20-230 Date : Feb 26, 2021 Risk : 3/5 CVSSv3 Score : 4.6 Impact : Cross-site scripting (XSS) CVE ID : CVE-2018-13380 Summary An Improper Neutralization of Input During Web Page Generation in the SSL VPN portal of FortiProxy may allow an unauthenticated, remote attacker to perform a reflected Cross Site Scripting attack (XSS) by injecting malicious payload in the error, message or redir parameters. Impact Cross-site scripting (XSS) Affected Products FortiProxy version 2.0.0 FortiProxy versions 1.2.8 and below. FortiProxy versions 1.1.6 and below. FortiProxy versions 1.0.7 and below. Solutions Please upgrade to FortiProxy versions 2.0.1 or above. Please upgrade to FortiProxy versions 1.2.9 or above. Acknowledgement Fortinet is pleased to thank Meh Chang and Orange Tsai from DEVCORE Security Research Team for reporting this vulnerability under responsible disclosure. - ----------------------------------------------------------------------------- Potential sensitive information can be displayed in cleartext in FortiProxy CLI window IR Number : FG-IR-20-236 Date : Feb 26, 2021 Risk : 3/5 CVSSv3 Score : 5.2 Impact : Information Disclosure CVE ID : CVE-2020-6648 Summary A cleartext storage of sensitive information vulnerability in FortiProxy command line interface may allow an authenticated attacker to obtain sensitive information such as VPN user's passwords by connecting to FortiProxy CLI and executing the "diagnose sys ha checksum show" command. Impact Information Disclosure Affected Products FortiProxy version 2.0.0 FortiProxy versions 1.2.9 and below. FortiProxy versions 1.1.6 and below. FortiProxy versions 1.0.7 and below. Solutions Please upgrade to FortiProxy versions 2.0.1 or above. Please upgrade to FortiProxy versions 1.2.10 or above. Acknowledgement Fortinet is pleased to thank Shaun Farrow for reporting this vulnerability under responsible disclosure. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYEAjGeNLKJtyKPYoAQiO8w/8ChQYMYNtbJqON5rh7fGjG5pEHZhovmFq StsFkndzRfNxj18IWepXYD8gE/vTwWGOY87etZ09Y7K5GeDgxVtUPi0D8DOaO4hF 1mO8CqnaIIHZbSBnPJPPWb4JzET8hSlkw4+1aIq0CpMepwt1HAzfrMz2wSyv1PDJ QXq12hPFPk2hXrjM6J90TbKV93EhYs04STsVPzCv5d/yFqJtjs7H0zidfKL+eLAB q5oWzePFd2gqqt8SmXOj7w9/HU65aqBa67Dk6ibDXCL0J/TsiSE0nqL+q97SWJ3H GwC/WyXEf8kTtHhCZeVv+Mbr5VJYf7ndExg0/p4drevWu9cXY1xgS4IZrFGCZVV9 q3sM+AsAtPytXw0wiQ7XZWyH0cC6JC52kKy7nGa1ZSuWGSuUple2gCefZ6qGMu8m EcJKQVGoxv6XhCx1/eV75an/v2T8XNAI1fm5lmx6YFrsf+w+LHFyXkZ/HcZo7kdn KZ8FSvrsU0I9mGbxtOWZJDmjzLVgIOqtE5mtM0hRkS4Fv4u2rn9cvF/NTI3dX4sE uu6dQiOio+21+R8i6QSEhZGev/YCip4oLCyOqZjUOfqyPtvBt5lBO2jJ2wRYrolj CJkt7kCAn3eIIMXPOszNDL/EEbvNQKFUxccBhsiCqLeuEAt7K3Lz2nwruITG+JNA tcvuEoC8EyI= =S7az -----END PGP SIGNATURE-----