Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.1091.2
FortiOS multiple pre-authentication Information Disclosure
21 October 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: FortiOS
Publisher: FortiGuard
Operating System: Network Appliance
Impact/Access: Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
Original Bulletin:
https://fortiguard.com/psirt/FG-IR-19-043
Comment: This bulletin contains two (2) FortiGuard security advisories.
Revision History: October 21 2019: Vendor issues fix for the admin webUI builtin certificate SN leak issue.
April 1 2019: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
FortiOS multiple pre-authentication Information Disclosure
IR Number : FG-IR-19-043
Date : Mar 29, 2019
Risk : 3/5
Impact : Information Disclosure
Summary
Multiple information exposure vulnerabilities in FortiOS may allow an
unauthenticated attacker to perform some information gathering via parsing the
HTTP headers, web portal certificate, and error messages. The exposed
information includes the FortiGate's model, serial number and internal IP
address.
Impact
Information Disclosure
Affected Products
* HTTP Server Header Information Disclosure:
FortiOS all versions before 6.0.4
* Admin web portal builtin certificate Information Disclosure:
FortiOS all versions when using builtin certificate as admin web portal server
certificate
* Application Control Violation error message Information Disclosure:
FortiOS 6.0.1, 6.0.0, 5.6.6 and below
Solutions
* HTTP Server Header Information Disclosure:
Upgrade to FortiOS versions 6.0.4 or above.
* Admin web portal builtin certificate Information Disclosure
Upload and use a 3rd party signed certificate as admin web portal server
certificate.
* Application Control Violation error message Information Disclosure:
Upgrade to FortiOS 5.6.6, 6.0.2 or later versions [2]
Workarounds:
* HTTP Server Header Information Disclosure:
Limit admin web portal access to local network only.
* Admin web portal builtin certificate Information Disclosure:
Limit admin web portal access to local network only.
* Application Control Violation error message Information Disclosure:
Refer to https://fortiguard.com/psirt/FG-IR-18-085
==============================================================================
FortiOS multiple pre-authentication Information Disclosure
IR Number : FG-IR-19-043
Date : Mar 29, 2019
Risk : 3/5
Impact : Information Disclosure
CVRF : Download
Summary
Multiple information exposure vulnerabilities in FortiOS may allow an
unauthenticated attacker to perform some information gathering via parsing the
HTTP headers, web portal certificate, and error messages. The exposed
information includes the FortiGate's model, serial number and internal IP
address.
Impact
Information Disclosure
Affected Products
* HTTP Server Header Information Disclosure:
FortiOS all versions before 6.0.4
* Admin web portal builtin certificate Information Disclosure:
FortiOS all versions before 6.2.3 when using builtin certificate as admin web
portal server certificate
* Application Control Violation error message Information Disclosure:
FortiOS 6.0.1, 6.0.0, 5.6.6 and below
Solutions
* HTTP Server Header Information Disclosure:
Upgrade to FortiOS versions 6.0.4 or above.
* Admin web portal builtin certificate Information Disclosure
Upgrade to FortiOS 6.2.3 or later versions [*]
[*] For hardware FortiOS models, When upgrading from older versions to FortiOS
6.2.3 and self-signed certificates are used, admins need to re-apply the
self-signed certificates (choose another cert and change back to self-signed)
after the upgrade. This upgrading issue does not impact FortiOS VM models and
is addressed in FortiOS 6.2.4.
To verify the operation succeeded, set self-sign as admin webUI server
certificate and read the cert detail through the web browser - the CN should be
"FortiGate" instead the SN of the FortiGate device.
* Application Control Violation error message Information Disclosure:
Upgrade to FortiOS 5.6.6, 6.0.2 or later versions [2]
Workarounds:
* HTTP Server Header Information Disclosure:
Limit admin web portal access to local network only.
* Admin web portal builtin certificate Information Disclosure:
Upload and use a 3rd party signed certificate as admin web portal server
certificate or
Limit admin web portal access to local network only.
* Application Control Violation error message Information Disclosure:
Refer to https://fortiguard.com/psirt/FG-IR-18-085
Revision History:
2019-03-29 Initial release
2019-10-17 Fix the admin webUI builtin certificate SN leak issue.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXaznvWaOgq3Tt24GAQhsAhAAyNIQmtPSQq1LhFHFUDGsbpjxG0IcDysP
ZpY86Gwfu3saPXqwT1g35xf/QL70HLr1/E/kuXwLfl8zwbzS+sa1FDVh4fWe1YsV
x3RBclH/E7EHzisClCJe/74XJFGxY43nyzwVBnfxGvewBFIrJot8ZtYxqTn9ntSW
mJf2yXxaQUbvOAk1MpWTiPvzykDSAH9UVj1ZPOH2guGOahOzlqnB93i9sbYtZvRw
gsOk2KSEvo5Oj7yzsSbF/Z+1w5NSVP1Gk9hMRQPVkR941pxO89mT+JjV63KHJ5Sv
puHd9HB6p7X+J/KCQ7mb2W/vRXTfV2K8SCpbcnr0xGmREtusuAwsRr05vdPX/FjT
kUBBOkoxuGbVYFoeAoPVunAX/zVbijLwDs1CMACVGzj36N25JaZxg0YZHUHWH0zo
Pv2+g+iEO0576lg/I2lmeelKL1WzS2GRwp+CLAayoRluTGvGU3wiCF5DZBsVdouW
cbuT7aYwn5fpZ2I01hHNXPCbi8tgna46ccV4NZppLFsHTB8v+ahCzFRzjiNDHTWE
yRFH9wTbDRyjGIB1mcI+TPqaNnrkUJiNpwRuoPSXUBzvq2tF5qV0muesBvOYlAC6
Bp/gDGlGxCM7ZKBOoIUJfZT4+9bvYqHjJakVveUD0OrqwCun23h9Ciyau9KqaU6O
evKhR2itWQs=
=fMjy
-----END PGP SIGNATURE-----