Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1891.3 Fortigate SSL VPN 27 November 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Fortigate SSL VPN Publisher: Fortigate Operating System: Network Appliance Impact/Access: Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Increased Privileges -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-14186 Original Bulletin: https://fortiguard.com/psirt/FG-IR-17-242 https://fortiguard.com/psirt/FG-IR-18-383 https://fortiguard.com/psirt/FG-IR-19-034 https://fortiguard.com/psirt/FG-IR-18-384 https://fortiguard.com/psirt/FG-IR-18-389 Revision History: November 27 2019: Vendor updated advisories 383 and 384 with fixes for v5.4.13 June 5 2019: FG-IR-18-384 and FG-IR-18-389: Clarified the impacted versions and workarounds. May 27 2019: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- FortiGate SSL VPN web portal login redir XSS vulnerability IR Number : FG-IR-17-242 Date : Nov 23, 2017 Risk : 3/5 Impact : Cross-site Scripting (XSS), URL Redirection Attack CVE ID : CVE-2017-14186 Summary Failure to sanitize the login redir parameter in the SSL-VPN web portal may allow an attacker to perform a Cross-site Scripting (XSS) or an URL Redirection attack. Impact Cross-site Scripting (XSS), URL Redirection Attack Affected Products FortiOS 6.0.0 -> 6.0.4 FortiOS 5.6.0 -> 5.6.7 FortiOS 5.4 and below. Solutions Upgrade to FortiOS 5.6.8, 6.0.5 or 6.2.0 Workarounds: For workaround on the unfixed versions, if the SSL-VPN web portal feature was enabled, disable the SSL-VPN web portal service by applying the following CLI commands: For FortiOS 5.0 and below branches: config vpn ssl settings set sslvpn-enable disable end For FortiOS 5.2, 5.4 and 5.6 branches: config vpn ssl settings unset source-interface end Revision History: 2017-11-23 Initial version 2018-05-15 Clarify the workaround applied versions 2018-09-06 Correct the exploit condition and risk level 2019-05-15 Fixed version and Risk level updated Acknowledgement Fortinet is pleased to thank Stefan Viehbock from SEC Consult Vulnerability Lab, Dan Taler from Content Security Pty Ltd, Sage Data Security, Julio Sanchez from SecureAuth Corporation and Meh Chang and Orange Tsai from DEVCORE Security Research Team for reporting this vulnerability under responsible disclosure. References o https://www.sec-consult.com/en/blog/advisories/fortigate-ssl-vpn-portal-xss-vulnerability/index.html - ---------------------------------------------------------------------------------- FortiOS multiple pre-auth XSS vulnerabilities on SSL VPN IR Number : FG-IR-18-383 Date : May 24, 2019 Risk : 3/5 Impact : Cross-site scripting (XSS) CVE ID : CVE-2018-13380 Summary Failure to sanitize the error or message handling parameters in the SSL VPN web portal may allow an attacker to perform a Cross-site Scripting (XSS) attack. Impact Cross-site scripting (XSS) Affected Products FortiOS 6.0.0 to 6.0.4 FortiOS 5.6.0 to 5.6.7 FortiOS 5.4.0 to 5.4.12 FortiOS 5.2 branch and below Solutions Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above. Workarounds: For workaround on the unfixed versions, if the SSL-VPN web portal feature is enabled, disable the SSL-VPN web portal service by applying the following CLI commands: For FortiOS 5.0 and below branches: config vpn ssl settings set sslvpn-enable disable end For FortiOS 5.2 and above branches: config vpn ssl settings unset source-interface end Revision History: 05-24-2019 Initial Version 11-26-2019 New fix on 5.4.13 released. Acknowledgement Fortinet is pleased to thank Meh Chang and Orange Tsai from DEVCORE Security Research Team for reporting this vulnerability under responsible disclosure. - ---------------------------------------------------------------------------------- FortiOS reflected XSS in the SSL VPN web portal error page parameters IR Number : FG-IR-19-034 Date : May 24, 2019 Risk : 3/5 Impact : Cross-site Scripting (XSS) CVE ID : CVE-2019-5586, CVE-2019-5588 Summary Failure to sanitize input in the SSL VPN web portal may allow an attacker to perform a reflected Cross-site Scripting (XSS) attack via multiple parameters of the error page HTTP request. Impact Cross-site Scripting (XSS) Affected Products CVE-2019-5586 FortiOS 5.2.0 to 6.0.4 CVE-2019-5588 FortiOS 6.0.0 to 6.0.4 Solutions Upgrade to FortiOS 6.0.5 or 6.2.0 Workarounds: Disable the SSL-VPN web portal service by applying the following CLI commands: config vpn ssl settings unset source-interface end Acknowledgement Fortinet is pleased to thank Aaron Hall from Verizon Media Group (Oath) for reporting CVE-2019-5586 and Nathan HARDY Cybersecurity Engineer/Consultant at Sogeti Luxembourg for reporting CVE-2019-5588 under responsible disclosures. - ---------------------------------------------------------------------------------- IR Number : FG-IR-18-384 Date : May 24, 2019 Risk : 4/5 Impact : Information Disclosure CVE ID : CVE-2018-13379 Summary A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests. Impact Information Disclosure Affected Products FortiOS 6.0 - 6.0.0 to 6.0.4 FortiOS 5.6 - 5.6.3 to 5.6.7 FortiOS 5.4 - 5.4.6 to 5.4.12 (other branches and versions than above are not impacted) ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled. Solutions Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above. Workarounds: As a temporary solution, the only workaround is to totally disable the SSL-VPN service (both web-mode and tunnel-mode) by applying the following CLI commands: config vpn ssl settings unset source-interface end Note that firewall policies tied to SSL VPN will need to be unset first for the above sequence to execute successfully. As an example, when source-interface is "port1" and SSL VPN interface is "ssl.root", the following CLI commands would be needed to ensure "unset source-interface" executes successfully: config vpn ssl settings config authentication-rule purge (purge all authentication-rules) end end config firewall policy delete [policy-id] (SSL VPN policy ID(s) that srcintf is "ssl.root" and dstintf is "port1") end Note that code to exploit this vulnerability in order to obtain the credentials of logged in SSL VPN users was disclosed. In absence of upgrading to the versions listed above, mitigating the impact of this exploit can be done by enabling two-factor authentication for SSL VPN users. An attacker would then not be able to use stolen credentials to impersonate SSL VPN users. Revision History: 2019-05-24 Initial version 2019-06-04 Clarified the impacted versions and workarounds. 2019-08-30 FortiOS 5.4 branch (starts from 5.4.6) also affected and fix scheduled. 2019-08-30 two-factor authentication mitigation addedfor the disclosed exploit. 2019-08-30 Add public disclosure reference link. 2019-11-26 New fix on 5.4.13 released. Acknowledgement Fortinet is pleased to thank Meh Chang and Orange Tsai from DEVCORE Security Research Team for reporting this vulnerability under responsible disclosure. References o https://blog.orange.tw/2019/08/ attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html - ---------------------------------------------------------------------------------- Unauthenticated SSL VPN users password modification IR Number : FG-IR-18-389 Date : May 24, 2019 Risk : 4/5 CVE ID : CVE-2018-13382 Summary An Improper Authorization vulnerability in the SSL VPN web portal may allow an unauthenticated attacker to change the password of an SSL VPN web portal user via specially crafted HTTP requests. Affected Products FortiOS 6.0.0 to 6.0.4 FortiOS 5.6.0 to 5.6.8 FortiOS 5.4.1 to 5.4.10 Only if the SSL VPN service (web-mode or tunnel-mode) is enabled. Note that only users with local authentication are affected; SSL VPN users with remote authentication (LDAP or RADIUS) are not impacted. Versions 5.4.0 and below (including branch 5.2) are not affected. Solutions Upgrade to FortiOS 5.4.11, 5.6.9, 6.0.5, 6.2.0 or above. Workaround: The only workaround is to migrate SSL VPN user authentication from local to remote (LDAP or RADIUS), or totally disable the SSL-VPN service (both web-mode and tunnel-mode) by applying the following CLI commands: config vpn ssl settings unset source-interface end Note that firewall policies tied to SSL VPN will need to be unset first for the above sequence to execute successfully. As an example, when source-interface is "port1" and SSL VPN interface is "ssl.root", the following CLI commands would be needed to ensure "unset source-interface" executes successfully: config vpn ssl settings config authentication-rule purge (purge all authentication-rules) end end config firewall policy delete [policy-id] (SSL VPN policy ID(s) that srcintf is "ssl.root" and dstintf is "port1") end Revision History: 2019-05-24 Initial version 2019-06-04 Clarified the affected versions and workarounds. Acknowledgement Fortinet is pleased to thank Meh Chang and Orange Tsai from DEVCORE Security Research Team for reporting this vulnerability under responsible disclosure. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXd4JRmaOgq3Tt24GAQjczw/9Fvde+0IsKI6lu0ZZVm+Z6Mvp8UnftMtb PO7CUsOONZ76i4W65bL4ZRjRenrUJDFCDjY4eJJfN1Dc4BX7NmwjvcrUdLD3+Nwy wKxl/lpXU4Px/sgTqpm/dKWBxjyOvoiQy92yDPK0yU12VT1ri2/OyqRVogRkMySu AzLfU21ffj9s1SAtMzyXKX8cBuyg+anBjAY12rne+uXsO1uso5s+QPq+9bofuvbW vH+k+w4/zFQsC/0b4nSX4UifP1WnRlcE4J7ipnpJuSQE/hYnPKans79nA6tR076q yTiFlzJphFzKarPIgHWKAxM22N/mtjXqfMYFyrzvt2bPJK55dIDy6R5gQtVUFBK8 nmvqeuelWTFq2BfcB9ux6L+V8jwSK9M85lfSVbBuQo+mA+YakmLDTp8s8lW1WTiY SATnyWCNI4Ze2dTVYasKM7rwkwHM5QAzP0VQD5Piy9f3eqdZVed/Zm5Btr6f5Kzi v8Jpb6jwd5RhoOI7DH5rNfZXSJJeieg5/PRhlMAh8gZXnk1uabGa+BUVwKdgzoRB VJaEKDPb2hLIkePHhhc2zH02Gnbhb4jkpDAHn+TIxWaIA9GVas8s1tluDuWXPvpn CD8cU+hbvMR7pn+VpmAbG9YfO/Cw+sEAXjaW/KfnPTbk/Tz3+GkJb7N8fZfmuw4g j/xMoamZdxA= =Qz+r -----END PGP SIGNATURE-----