-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.1091
        FortiOS multiple pre-authentication Information Disclosure
                               1 April 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           FortiOS
Publisher:         FortiGuard
Operating System:  Network Appliance
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade

Original Bulletin: 
   https://fortiguard.com/psirt/FG-IR-19-043

- --------------------------BEGIN INCLUDED TEXT--------------------

FortiOS multiple pre-authentication Information Disclosure

IR Number : FG-IR-19-043

Date      : Mar 29, 2019

Risk      : 3/5

Impact    : Information Disclosure

Summary

Multiple information exposure vulnerabilities in FortiOS may allow an
unauthenticated attacker to perform some information gathering via parsing the
HTTP headers, web portal certificate, and error messages. The exposed
information includes the FortiGate's model, serial number and internal IP
address.

Impact

Information Disclosure

Affected Products

* HTTP Server Header Information Disclosure:

FortiOS all versions before 6.0.4


* Admin web portal builtin certificate Information Disclosure:

FortiOS all versions when using builtin certificate as admin web portal server
certificate

* Application Control Violation error message Information Disclosure:

FortiOS 6.0.1, 6.0.0, 5.6.6 and below

Solutions

* HTTP Server Header Information Disclosure:

Upgrade to FortiOS versions 6.0.4 or above.


* Admin web portal builtin certificate Information Disclosure

Upload and use a 3rd party signed certificate as admin web portal server
certificate.

* Application Control Violation error message Information Disclosure:

Upgrade to FortiOS 5.6.6, 6.0.2 or later versions [2]


Workarounds:


* HTTP Server Header Information Disclosure:

Limit admin web portal access to local network only.


* Admin web portal builtin certificate Information Disclosure:

Limit admin web portal access to local network only.

* Application Control Violation error message Information Disclosure:

Refer to https://fortiguard.com/psirt/FG-IR-18-085

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXKGkdWaOgq3Tt24GAQif8hAAuLEH6gngpXzAzorM0QL1koRrNyKfzon6
9AAMB66KkKCVRLP28P0HnYRWXLPAy8Tt1NbS0UdcFuaVMwuVxJEvIeo89lS9K/5x
JeiDol/98Cjybtnjk0RbXa5AmlVNG5Flf+JZQYnVRm8r9pp20VEgPMmo4lG18920
Zh2MS5O9iO2GR1gIIjT+5fzTetuM6Z6CUxof1CGsGv03pcFahjIoiqcQpV9Sb1X1
OvcAKWxzKM6BTKD8sYbLXWCihSS9VMBS7ekHcQZXkEwYxYAPMdUjEtq/Y8un6LN6
Xr4NPpMsCirMKAedWW2Plk0hAuResWeTYSv99ZWWAq1GxfYCLtw3EjLghhxmPqzR
V4gNZj5WylNhFG3t/eDLt0sJ5lL6R0PMssAbMhK3e+gkvrg//VH53heRZxQs9x4F
NPPNgGaWASo/RpRMwv8PnWb4tBWOvZQT7TIY7VH8ijYsZ5s9kaP3YTaQ19hzQUmN
9QC3MaGO+sZm3TQk74QdBX8Tw3C25ovQ2a6YBRRVw1O7Yil6wo40PhNb+h8UDhtp
lmB5/F/F5ZB98H2mP5scHHmv25ENDIMSWzTKX2Mcz7hmf5ykSxls7K9P1L3xdPsy
/v4V3JaiD96g9K/ZBdwMPWnStaskUZeMyawJiPQYwdy3ZTEAmvaXjeuLTCAFP/rn
/HI16XNS7Xg=
=62hP
-----END PGP SIGNATURE-----