Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1114.4 FortiOS multiple vulnerabilities 22 August 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: FortiOS Publisher: FortiGuard Operating System: Network Appliance Impact/Access: Increased Privileges -- Existing Account Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-13383 CVE-2017-17544 Original Bulletin: https://fortiguard.com/psirt/FG-IR-18-388 https://fortiguard.com/psirt/FG-IR-17-053 Comment: This bulletin contains two (2) FortiGuard security advisories. Revision History: August 22 2019: Added 08-21-2019 New fix on 5.6.11 released. July 26 2019: Updated FG-IR-18-388: Risk adjusted to High, Workaround updated May 22 2019: Updated FG-IR-18-388 - Add fix on 6.0 branch April 3 2019: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- FortiOS admin privilege escalation via restoring configs IR Number : FG-IR-17-053 Date : Apr 02, 2019 Risk : 2/5 Impact : Privilege Escalation CVE ID : CVE-2017-17544 Summary A privilege escalation vulnerability in FortiOS may allow admin users to elevate their profile to super_admin, via restoring modified configurations. Impact Privilege Escalation Affected Products FortiOS 6.0 all versions. FortiOS 5.6.0 to 5.6.10 FortiOS 5.4 all versions and below. Solutions FortiOS 6.0 upgrade to 6.2.0 and above FortiOS 5.6 upgrade to 5.6.11 and above FortiOS 5.4 and below upgrade to 5.6.11 or above Workarounds The conditions to achieve privilege escalation via this vulnerability are as follows: * Regular mode (no VDOM): The user's profile "Administrator Users" and "Maintenance" privileges are both set to "read-write" * VDOM mode: The user's profile "Administrator Users" and "Maintenance" privileges are both set to "read-write", and the user's profile's scope is set to "global" The following CLI commands prevent those conditions to be met: * Regular mode: config system accprofile edit [profile-name] set sysgrp custom config sysgrp-permission set admin none set mnt none end next end * VDOM mode: config system accprofile edit [profile-name] set scope vdom set sysgrp custom config sysgrp-permission set admin none set mnt none end next end Revision History: 04-02-2019 Initial version 08-21-2019 New fix on 5.6.11 released. Acknowledgement Fortinet is pleased to thank independent researcher youssef El GARROUM for reporting this vulnerability under responsible disclosure. - ------------------------------------------------------------------------------ FortiOS reflected XSS in the SSL VPN web portal error page parameters IR Number : FG-IR-19-034 Date : May 24, 2019 Risk : 3/5 Impact : Cross-site Scripting (XSS) CVE ID : CVE-2019-5586, CVE-2019-5588 Summary Failure to sanitize input in the SSL VPN web portal may allow an attacker to perform a reflected Cross-site Scripting (XSS) attack via multiple parameters of the error page HTTP request. Impact Cross-site Scripting (XSS) Affected Products CVE-2019-5586 FortiOS 6.0.0 to 6.0.4 FortiOS 5.2.0 to 5.6.10 CVE-2019-5588 FortiOS 6.0.0 to 6.0.4 Solutions Upgrade to FortiOS 5.6.11, 6.0.5 or 6.2.0 Workarounds: Disable the SSL-VPN web portal service by applying the following CLI commands: config vpn ssl settings unset source-interface end Revision History: 05-24-2019 Initial version 08-21-2019 Add 5.6 branch fixing for CVE-2019-5586 Acknowledgement Fortinet is pleased to thank Aaron Hall from Verizon Media Group (Oath) for reporting CVE-2019-5586 and Nathan HARDY Cybersecurity Engineer/Consultant at Sogeti Luxembourg for reporting CVE-2019-5588 under responsible disclosures. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXV4fw2aOgq3Tt24GAQiMTA/+NOdBHnQs4NVfjbgwl+7UThQK8KjofWy3 NMQQVUgfuy0Urd45BtyxdFbI/80qUTU6fqmIABGMi51eER2pz5qYoiSU1WH3ICRd jieZ9aqc1qmw7PMQdh/3GuO0rvqOWvHxuxnFdDzOzYs2vr8kijwcFF8WEzhJ3SB4 m/qF8TX3nsXPkPKlQfOD2/LWtQenarunMK009D6D979X8Vq45PekvFQrwPZovsiX K8p2t6MLcC/Skf+JDp5SKaeSKkcB/q/k5XMauZuOXfFmCTR8TzEruiUNgfO0HLNM YNZ9M82FpOYM0qBUePCTQwQNBDX+vOPjz/AEjV5ukaVzfq7R7dAJM5wARccGpQOS 5ENf/AZSrVqDJ1l4dkViTRQ0LubirjXbiTXOk2TT+v2APzr9T/apMQ9a+WhUmOVg HezJQC45ifbriWPV7YlrCtlArbEY/9RhGDPikO+uyUT7zP6zm2Y2X1LbLW1oMWJ4 moE9OuFpeCSQ5THgT6VNIbJDJa5a4vEOn2ENxPkANat5f0dMRRAyse4sbYjo/FwO iKceGr7rCHHqzddhY2COtHKWjllBNP2KMFSCQvddt8rgz47HhgTbxR/iOvOZrZC4 Eq2Ivr4biACALBxniulH9gxUjjBEOUyUF/3Qm4oWFjbYZ+Rb8FSlX8mJoMBeWaSi Wd2EFFemWwY= =GkVt -----END PGP SIGNATURE-----