-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2019.1891.2
                             Fortigate SSL VPN
                                5 June 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Fortigate SSL VPN
Publisher:         Fortigate
Operating System:  Network Appliance
Impact/Access:     Cross-site Scripting     -- Remote with User Interaction
                   Access Confidential Data -- Remote/Unauthenticated      
                   Increased Privileges     -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-14186  

Original Bulletin: 
   https://fortiguard.com/psirt/FG-IR-17-242
   https://fortiguard.com/psirt/FG-IR-18-383
   https://fortiguard.com/psirt/FG-IR-19-034
   https://fortiguard.com/psirt/FG-IR-18-384
   https://fortiguard.com/psirt/FG-IR-18-389

Comment: This bulletin contains five (5) Fortigate security advisories.

Revision History:  June  5 2019: FG-IR-18-384 and FG-IR-18-389: Clarified the 
                                 impacted versions and workarounds.
                   May  27 2019: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

FortiGate SSL VPN web portal login redir XSS vulnerability

IR Number : FG-IR-17-242

Date      : Nov 23, 2017

Risk      : 3/5

Impact    : Cross-site Scripting (XSS), URL Redirection Attack

CVE ID    : CVE-2017-14186

Summary

Failure to sanitize the login redir parameter in the SSL-VPN web portal may
allow an attacker to perform a Cross-site Scripting (XSS) or an URL Redirection
attack.

Impact

Cross-site Scripting (XSS), URL Redirection Attack

Affected Products

FortiOS 6.0.0 -> 6.0.4

FortiOS 5.6.0 -> 5.6.7

FortiOS 5.4 and below.

Solutions

Upgrade to FortiOS 5.6.8, 6.0.5 or 6.2.0


Workarounds:


For workaround on the unfixed versions, if the SSL-VPN web portal feature was
enabled, disable the SSL-VPN web portal service by applying the following CLI
commands:


For FortiOS 5.0 and below branches:

config vpn ssl settings
set sslvpn-enable disable
end


For FortiOS 5.2, 5.4 and 5.6 branches:

config vpn ssl settings
unset source-interface
end


Revision History:


2017-11-23 Initial version
2018-05-15 Clarify the workaround applied versions
2018-09-06 Correct the exploit condition and risk level
2019-05-15 Fixed version and Risk level updated

Acknowledgement

Fortinet is pleased to thank Stefan Viehbock from SEC Consult Vulnerability
Lab, Dan Taler from Content Security Pty Ltd, Sage Data Security, Julio Sanchez
from SecureAuth Corporation and Meh Chang and Orange Tsai from DEVCORE Security
Research Team for reporting this vulnerability under responsible disclosure.

References

  o https://www.sec-consult.com/en/blog/advisories/fortigate-ssl-vpn-portal-xss-vulnerability/index.html

- ----------------------------------------------------------------------------------

FortiOS multiple pre-auth XSS vulnerabilities on SSL VPN

IR Number : FG-IR-18-383

Date      : May 24, 2019

Risk      : 3/5

Impact    : Cross-site scripting (XSS)

CVE ID    : CVE-2018-13380

Summary

Failure to sanitize the error or message handling parameters in the SSL VPN web
portal may allow an attacker to perform a Cross-site Scripting (XSS) attack.

Impact

Cross-site scripting (XSS)

Affected Products

FortiOS 6.0.0 to 6.0.4

FortiOS 5.6.0 to 5.6.7

FortiOS 5.4 and below

Solutions

Upgrade to FortiOS 5.6.8, 6.0.5 or 6.2.0


Workarounds:


For workaround on the unfixed versions, if the SSL-VPN web portal feature is
enabled, disable the SSL-VPN web portal service by applying the following CLI
commands:


For FortiOS 5.0 and below branches:

config vpn ssl settings
set sslvpn-enable disable
end


For FortiOS 5.2 and above branches:

config vpn ssl settings
unset source-interface
end

Acknowledgement

Fortinet is pleased to thank Meh Chang and Orange Tsai from DEVCORE Security
Research Team for reporting this vulnerability under responsible disclosure.

- ----------------------------------------------------------------------------------

FortiOS reflected XSS in the SSL VPN web portal error page parameters

IR Number : FG-IR-19-034

Date      : May 24, 2019

Risk      : 3/5

Impact    : Cross-site Scripting (XSS)

CVE ID    : CVE-2019-5586, CVE-2019-5588

Summary

Failure to sanitize input in the SSL VPN web portal may allow an attacker to
perform a reflected Cross-site Scripting (XSS) attack via multiple parameters
of the error page HTTP request.

Impact

Cross-site Scripting (XSS)

Affected Products

CVE-2019-5586 FortiOS 5.2.0 to 6.0.4

CVE-2019-5588 FortiOS 6.0.0 to 6.0.4

Solutions

Upgrade to FortiOS 6.0.5 or 6.2.0


Workarounds:


Disable the SSL-VPN web portal service by applying the following CLI commands:

config vpn ssl settings
unset source-interface
end

Acknowledgement

Fortinet is pleased to thank Aaron Hall from Verizon Media Group (Oath) for
reporting CVE-2019-5586 and Nathan HARDY Cybersecurity Engineer/Consultant at
Sogeti Luxembourg for reporting CVE-2019-5588 under responsible disclosures.

- ----------------------------------------------------------------------------------

FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests

IR Number : FG-IR-18-384

Date      : May 24, 2019

Risk      : 4/5

Impact    : Information Disclosure

CVE ID    : CVE-2018-13379

Summary

A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an
unauthenticated attacker to download FortiOS system files through specially
crafted HTTP resource requests.

Impact

Information Disclosure

Affected Products

FortiOS 5.6.3 to 5.6.7

FortiOS 6.0.0 to 6.0.4

ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled.


Other versions are not affected.

Solutions

Upgrade to FortiOS 5.6.8, 6.0.5 or 6.2.0


Workarounds:


As a temporary solution, the only workaround is to totally disable the SSL-VPN
service (both web-mode and tunnel-mode) by applying the following CLI commands:


config vpn ssl settings
unset source-interface
end


Note that firewall policies tied to SSL VPN will need to be unset first for the
above sequence to execute successfully.


As an example, when source-interface is "port1" and SSL VPN interface is
"ssl.root", the following CLI commands would be needed to ensure "unset
source-interface" executes successfully:


config vpn ssl settings
config authentication-rule
purge (purge all authentication-rules)
end
end

config firewall policy
delete [policy-id] (SSL VPN policy ID(s) that srcintf is "ssl.root" and dstintf
is "port1")
end


Revision History:

2019-05-24 Initial version
2019-06-04 Clarified the impacted versions and workarounds.

Acknowledgement

Fortinet is pleased to thank Meh Chang and Orange Tsai from DEVCORE Security
Research Team for reporting this vulnerability under responsible disclosure.

- ----------------------------------------------------------------------------------

Unauthenticated SSL VPN users password modification

IR Number : FG-IR-18-389

Date      : May 24, 2019

Risk      : 4/5

CVE ID    : CVE-2018-13382

Summary

An Improper Authorization vulnerability in the SSL VPN web portal may allow an
unauthenticated attacker to change the password of an SSL VPN web portal user
via specially crafted HTTP requests.

Affected Products

FortiOS 6.0.0 to 6.0.4

FortiOS 5.6.0 to 5.6.8

FortiOS 5.4.1 to 5.4.10

Only if the SSL VPN service (web-mode or tunnel-mode) is enabled.


Note that only users with local authentication are affected; SSL VPN users with
remote authentication (LDAP or RADIUS) are not impacted.


Versions 5.4.0 and below (including branch 5.2) are not affected.

Solutions

Upgrade to FortiOS 5.4.11, 5.6.9, 6.0.5, 6.2.0 or above.


Workaround:


The only workaround is to migrate SSL VPN user authentication from local to
remote (LDAP or RADIUS), or totally disable the SSL-VPN service (both web-mode
and tunnel-mode) by applying the following CLI commands:


config vpn ssl settings
unset source-interface
end


Note that firewall policies tied to SSL VPN will need to be unset first for the
above sequence to execute successfully.


As an example, when source-interface is "port1" and SSL VPN interface is
"ssl.root", the following CLI commands would be needed to ensure "unset
source-interface" executes successfully:


config vpn ssl settings
config authentication-rule
purge (purge all authentication-rules)
end
end

config firewall policy
delete [policy-id] (SSL VPN policy ID(s) that srcintf is "ssl.root" and dstintf
is "port1")
end


Revision History:

2019-05-24 Initial version
2019-06-04 Clarified the affected versions and workarounds.

Acknowledgement

Fortinet is pleased to thank Meh Chang and Orange Tsai from DEVCORE Security
Research Team for reporting this vulnerability under responsible disclosure.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXPcpZGaOgq3Tt24GAQhtAxAAijJHrMFuP1DKtKsp5F7EkPDo/IKyQYV1
v4jJahjP0MZ91hsRxQSWzfKF2SS8zzPJ0HoXrxsta35ePCH6WXVcuHkURxdyrEL5
qYea5lpQ78qfeK9O2CSLDYwgr2Y0KVRPv80j8UrrkNe4jD80in8htLYe+0E2EHmN
/BDeXD0nn07HzLECYLY4ouVPmIn2uwiam1ZnbMZVi4VQf/cCQSJMLRHOjP95kRBS
lBouawbulDGumzHNrDkk/HvSGTvMLwS+UKjNa0pXO80XWyn4SMDyOaGtxzAko7lS
Ehgk6xY8srymQYHcoBkCQr0DpOXDrrlIY+XhyGk7N0jUCzw4ystAM0z3lLAtkPf5
Q86BleuOLc9BhjmxWAjS68kYm5HNtuqoRwg198/GPElqDoGIBm4Ug677mZsTbrJn
ZUfpY+18LQjla5lH2ybT7DzODfk8qVHOBPTi/DQHs+JK8XPlc/oo239TX0TtIRBn
hyKuCnoE8RjrFS0odxRpA2Q8oqIbi7eYyecqPrBE1xIaweqbe6LKQp2Ff+nYzFGp
bfGzz9ZXC3t7TIOxiCx9SwapmMOT7bFfo8iU4YXQsljUp4oqXsuJVQYzxHRYdOLU
+O//zwnFjQYSQ+uUsJmm7uK6euq6yGv0UGq6PyqvA9t412ABZw5l2s/LxbN65uSk
k9ich/wlHFI=
=yd2g
-----END PGP SIGNATURE-----