Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1091.2 FortiOS multiple pre-authentication Information Disclosure 21 October 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: FortiOS Publisher: FortiGuard Operating System: Network Appliance Impact/Access: Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade Original Bulletin: https://fortiguard.com/psirt/FG-IR-19-043 Comment: This bulletin contains two (2) FortiGuard security advisories. Revision History: October 21 2019: Vendor issues fix for the admin webUI builtin certificate SN leak issue. April 1 2019: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- FortiOS multiple pre-authentication Information Disclosure IR Number : FG-IR-19-043 Date : Mar 29, 2019 Risk : 3/5 Impact : Information Disclosure Summary Multiple information exposure vulnerabilities in FortiOS may allow an unauthenticated attacker to perform some information gathering via parsing the HTTP headers, web portal certificate, and error messages. The exposed information includes the FortiGate's model, serial number and internal IP address. Impact Information Disclosure Affected Products * HTTP Server Header Information Disclosure: FortiOS all versions before 6.0.4 * Admin web portal builtin certificate Information Disclosure: FortiOS all versions when using builtin certificate as admin web portal server certificate * Application Control Violation error message Information Disclosure: FortiOS 6.0.1, 6.0.0, 5.6.6 and below Solutions * HTTP Server Header Information Disclosure: Upgrade to FortiOS versions 6.0.4 or above. * Admin web portal builtin certificate Information Disclosure Upload and use a 3rd party signed certificate as admin web portal server certificate. * Application Control Violation error message Information Disclosure: Upgrade to FortiOS 5.6.6, 6.0.2 or later versions [2] Workarounds: * HTTP Server Header Information Disclosure: Limit admin web portal access to local network only. * Admin web portal builtin certificate Information Disclosure: Limit admin web portal access to local network only. * Application Control Violation error message Information Disclosure: Refer to https://fortiguard.com/psirt/FG-IR-18-085 ============================================================================== FortiOS multiple pre-authentication Information Disclosure IR Number : FG-IR-19-043 Date : Mar 29, 2019 Risk : 3/5 Impact : Information Disclosure CVRF : Download Summary Multiple information exposure vulnerabilities in FortiOS may allow an unauthenticated attacker to perform some information gathering via parsing the HTTP headers, web portal certificate, and error messages. The exposed information includes the FortiGate's model, serial number and internal IP address. Impact Information Disclosure Affected Products * HTTP Server Header Information Disclosure: FortiOS all versions before 6.0.4 * Admin web portal builtin certificate Information Disclosure: FortiOS all versions before 6.2.3 when using builtin certificate as admin web portal server certificate * Application Control Violation error message Information Disclosure: FortiOS 6.0.1, 6.0.0, 5.6.6 and below Solutions * HTTP Server Header Information Disclosure: Upgrade to FortiOS versions 6.0.4 or above. * Admin web portal builtin certificate Information Disclosure Upgrade to FortiOS 6.2.3 or later versions [*] [*] For hardware FortiOS models, When upgrading from older versions to FortiOS 6.2.3 and self-signed certificates are used, admins need to re-apply the self-signed certificates (choose another cert and change back to self-signed) after the upgrade. This upgrading issue does not impact FortiOS VM models and is addressed in FortiOS 6.2.4. To verify the operation succeeded, set self-sign as admin webUI server certificate and read the cert detail through the web browser - the CN should be "FortiGate" instead the SN of the FortiGate device. * Application Control Violation error message Information Disclosure: Upgrade to FortiOS 5.6.6, 6.0.2 or later versions [2] Workarounds: * HTTP Server Header Information Disclosure: Limit admin web portal access to local network only. * Admin web portal builtin certificate Information Disclosure: Upload and use a 3rd party signed certificate as admin web portal server certificate or Limit admin web portal access to local network only. * Application Control Violation error message Information Disclosure: Refer to https://fortiguard.com/psirt/FG-IR-18-085 Revision History: 2019-03-29 Initial release 2019-10-17 Fix the admin webUI builtin certificate SN leak issue. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXaznvWaOgq3Tt24GAQhsAhAAyNIQmtPSQq1LhFHFUDGsbpjxG0IcDysP ZpY86Gwfu3saPXqwT1g35xf/QL70HLr1/E/kuXwLfl8zwbzS+sa1FDVh4fWe1YsV x3RBclH/E7EHzisClCJe/74XJFGxY43nyzwVBnfxGvewBFIrJot8ZtYxqTn9ntSW mJf2yXxaQUbvOAk1MpWTiPvzykDSAH9UVj1ZPOH2guGOahOzlqnB93i9sbYtZvRw gsOk2KSEvo5Oj7yzsSbF/Z+1w5NSVP1Gk9hMRQPVkR941pxO89mT+JjV63KHJ5Sv puHd9HB6p7X+J/KCQ7mb2W/vRXTfV2K8SCpbcnr0xGmREtusuAwsRr05vdPX/FjT kUBBOkoxuGbVYFoeAoPVunAX/zVbijLwDs1CMACVGzj36N25JaZxg0YZHUHWH0zo Pv2+g+iEO0576lg/I2lmeelKL1WzS2GRwp+CLAayoRluTGvGU3wiCF5DZBsVdouW cbuT7aYwn5fpZ2I01hHNXPCbi8tgna46ccV4NZppLFsHTB8v+ahCzFRzjiNDHTWE yRFH9wTbDRyjGIB1mcI+TPqaNnrkUJiNpwRuoPSXUBzvq2tF5qV0muesBvOYlAC6 Bp/gDGlGxCM7ZKBOoIUJfZT4+9bvYqHjJakVveUD0OrqwCun23h9Ciyau9KqaU6O evKhR2itWQs= =fMjy -----END PGP SIGNATURE-----