-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2019.1891.3
                             Fortigate SSL VPN
                             27 November 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Fortigate SSL VPN
Publisher:         Fortigate
Operating System:  Network Appliance
Impact/Access:     Cross-site Scripting     -- Remote with User Interaction
                   Access Confidential Data -- Remote/Unauthenticated      
                   Increased Privileges     -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-14186  

Original Bulletin: 
   https://fortiguard.com/psirt/FG-IR-17-242
   https://fortiguard.com/psirt/FG-IR-18-383
   https://fortiguard.com/psirt/FG-IR-19-034
   https://fortiguard.com/psirt/FG-IR-18-384
   https://fortiguard.com/psirt/FG-IR-18-389

Revision History:  November 27 2019: Vendor updated advisories 383 and 384 with
                                     fixes for v5.4.13
                   June      5 2019: FG-IR-18-384 and FG-IR-18-389: Clarified the
                                     impacted versions and workarounds.
                   May      27 2019: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

FortiGate SSL VPN web portal login redir XSS vulnerability

IR Number : FG-IR-17-242

Date      : Nov 23, 2017

Risk      : 3/5

Impact    : Cross-site Scripting (XSS), URL Redirection Attack

CVE ID    : CVE-2017-14186

Summary

Failure to sanitize the login redir parameter in the SSL-VPN web portal may
allow an attacker to perform a Cross-site Scripting (XSS) or an URL Redirection
attack.

Impact

Cross-site Scripting (XSS), URL Redirection Attack

Affected Products

FortiOS 6.0.0 -> 6.0.4

FortiOS 5.6.0 -> 5.6.7

FortiOS 5.4 and below.

Solutions

Upgrade to FortiOS 5.6.8, 6.0.5 or 6.2.0


Workarounds:


For workaround on the unfixed versions, if the SSL-VPN web portal feature was
enabled, disable the SSL-VPN web portal service by applying the following CLI
commands:


For FortiOS 5.0 and below branches:

config vpn ssl settings
set sslvpn-enable disable
end


For FortiOS 5.2, 5.4 and 5.6 branches:

config vpn ssl settings
unset source-interface
end


Revision History:


2017-11-23 Initial version
2018-05-15 Clarify the workaround applied versions
2018-09-06 Correct the exploit condition and risk level
2019-05-15 Fixed version and Risk level updated

Acknowledgement

Fortinet is pleased to thank Stefan Viehbock from SEC Consult Vulnerability
Lab, Dan Taler from Content Security Pty Ltd, Sage Data Security, Julio Sanchez
from SecureAuth Corporation and Meh Chang and Orange Tsai from DEVCORE Security
Research Team for reporting this vulnerability under responsible disclosure.

References

  o https://www.sec-consult.com/en/blog/advisories/fortigate-ssl-vpn-portal-xss-vulnerability/index.html

- ----------------------------------------------------------------------------------

FortiOS multiple pre-auth XSS vulnerabilities on SSL VPN

IR Number : FG-IR-18-383
Date      : May 24, 2019
Risk      : 3/5
Impact    : Cross-site scripting (XSS)
CVE ID    : CVE-2018-13380

Summary

Failure to sanitize the error or message handling parameters in the SSL VPN web
portal may allow an attacker to perform a Cross-site Scripting (XSS) attack.

Impact

Cross-site scripting (XSS)

Affected Products

FortiOS 6.0.0 to 6.0.4

FortiOS 5.6.0 to 5.6.7

FortiOS 5.4.0 to 5.4.12

FortiOS 5.2 branch and below

Solutions

Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.


Workarounds:


For workaround on the unfixed versions, if the SSL-VPN web portal feature is
enabled, disable the SSL-VPN web portal service by applying the following CLI
commands:


For FortiOS 5.0 and below branches:

config vpn ssl settings
set sslvpn-enable disable
end


For FortiOS 5.2 and above branches:

config vpn ssl settings
unset source-interface
end


Revision History:

05-24-2019 Initial Version
11-26-2019 New fix on 5.4.13 released.

Acknowledgement

Fortinet is pleased to thank Meh Chang and Orange Tsai from DEVCORE Security
Research Team for reporting this vulnerability under responsible disclosure.

- ----------------------------------------------------------------------------------

FortiOS reflected XSS in the SSL VPN web portal error page parameters

IR Number : FG-IR-19-034

Date      : May 24, 2019

Risk      : 3/5

Impact    : Cross-site Scripting (XSS)

CVE ID    : CVE-2019-5586, CVE-2019-5588

Summary

Failure to sanitize input in the SSL VPN web portal may allow an attacker to
perform a reflected Cross-site Scripting (XSS) attack via multiple parameters
of the error page HTTP request.

Impact

Cross-site Scripting (XSS)

Affected Products

CVE-2019-5586 FortiOS 5.2.0 to 6.0.4

CVE-2019-5588 FortiOS 6.0.0 to 6.0.4

Solutions

Upgrade to FortiOS 6.0.5 or 6.2.0


Workarounds:


Disable the SSL-VPN web portal service by applying the following CLI commands:

config vpn ssl settings
unset source-interface
end

Acknowledgement

Fortinet is pleased to thank Aaron Hall from Verizon Media Group (Oath) for
reporting CVE-2019-5586 and Nathan HARDY Cybersecurity Engineer/Consultant at
Sogeti Luxembourg for reporting CVE-2019-5588 under responsible disclosures.

- ----------------------------------------------------------------------------------

IR Number : FG-IR-18-384
Date      : May 24, 2019
Risk      : 4/5
Impact    : Information Disclosure
CVE ID    : CVE-2018-13379

Summary

A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an
unauthenticated attacker to download FortiOS system files through specially
crafted HTTP resource requests.

Impact

Information Disclosure

Affected Products

FortiOS 6.0 - 6.0.0 to 6.0.4

FortiOS 5.6 - 5.6.3 to 5.6.7

FortiOS 5.4 - 5.4.6 to 5.4.12

(other branches and versions than above are not impacted)

ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled.

Solutions

Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.


Workarounds:


As a temporary solution, the only workaround is to totally disable the SSL-VPN
service (both web-mode and tunnel-mode) by applying the following CLI commands:


config vpn ssl settings
unset source-interface
end


Note that firewall policies tied to SSL VPN will need to be unset first for the
above sequence to execute successfully.


As an example, when source-interface is "port1" and SSL VPN interface is
"ssl.root", the following CLI commands would be needed to ensure "unset
source-interface" executes successfully:


config vpn ssl settings
config authentication-rule
purge (purge all authentication-rules)
end
end

config firewall policy
delete [policy-id] (SSL VPN policy ID(s) that srcintf is "ssl.root" and dstintf
is "port1")
end


Note that code to exploit this vulnerability in order to obtain the credentials
of logged in SSL VPN users was disclosed. In absence of upgrading to the
versions listed above, mitigating the impact of this exploit can be done by
enabling two-factor authentication for SSL VPN users. An attacker would then
not be able to use stolen credentials to impersonate SSL VPN users.


Revision History:

2019-05-24 Initial version
2019-06-04 Clarified the impacted versions and workarounds.
2019-08-30 FortiOS 5.4 branch (starts from 5.4.6) also affected and fix
scheduled.
2019-08-30 two-factor authentication mitigation addedfor the disclosed exploit.
2019-08-30 Add public disclosure reference link.
2019-11-26 New fix on 5.4.13 released.

Acknowledgement

Fortinet is pleased to thank Meh Chang and Orange Tsai from DEVCORE Security
Research Team for reporting this vulnerability under responsible disclosure.

References

  o https://blog.orange.tw/2019/08/
    attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html

- ----------------------------------------------------------------------------------

Unauthenticated SSL VPN users password modification

IR Number : FG-IR-18-389

Date      : May 24, 2019

Risk      : 4/5

CVE ID    : CVE-2018-13382

Summary

An Improper Authorization vulnerability in the SSL VPN web portal may allow an
unauthenticated attacker to change the password of an SSL VPN web portal user
via specially crafted HTTP requests.

Affected Products

FortiOS 6.0.0 to 6.0.4

FortiOS 5.6.0 to 5.6.8

FortiOS 5.4.1 to 5.4.10

Only if the SSL VPN service (web-mode or tunnel-mode) is enabled.


Note that only users with local authentication are affected; SSL VPN users with
remote authentication (LDAP or RADIUS) are not impacted.


Versions 5.4.0 and below (including branch 5.2) are not affected.

Solutions

Upgrade to FortiOS 5.4.11, 5.6.9, 6.0.5, 6.2.0 or above.


Workaround:


The only workaround is to migrate SSL VPN user authentication from local to
remote (LDAP or RADIUS), or totally disable the SSL-VPN service (both web-mode
and tunnel-mode) by applying the following CLI commands:


config vpn ssl settings
unset source-interface
end


Note that firewall policies tied to SSL VPN will need to be unset first for the
above sequence to execute successfully.


As an example, when source-interface is "port1" and SSL VPN interface is
"ssl.root", the following CLI commands would be needed to ensure "unset
source-interface" executes successfully:


config vpn ssl settings
config authentication-rule
purge (purge all authentication-rules)
end
end

config firewall policy
delete [policy-id] (SSL VPN policy ID(s) that srcintf is "ssl.root" and dstintf
is "port1")
end


Revision History:

2019-05-24 Initial version
2019-06-04 Clarified the affected versions and workarounds.

Acknowledgement

Fortinet is pleased to thank Meh Chang and Orange Tsai from DEVCORE Security
Research Team for reporting this vulnerability under responsible disclosure.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXd4JRmaOgq3Tt24GAQjczw/9Fvde+0IsKI6lu0ZZVm+Z6Mvp8UnftMtb
PO7CUsOONZ76i4W65bL4ZRjRenrUJDFCDjY4eJJfN1Dc4BX7NmwjvcrUdLD3+Nwy
wKxl/lpXU4Px/sgTqpm/dKWBxjyOvoiQy92yDPK0yU12VT1ri2/OyqRVogRkMySu
AzLfU21ffj9s1SAtMzyXKX8cBuyg+anBjAY12rne+uXsO1uso5s+QPq+9bofuvbW
vH+k+w4/zFQsC/0b4nSX4UifP1WnRlcE4J7ipnpJuSQE/hYnPKans79nA6tR076q
yTiFlzJphFzKarPIgHWKAxM22N/mtjXqfMYFyrzvt2bPJK55dIDy6R5gQtVUFBK8
nmvqeuelWTFq2BfcB9ux6L+V8jwSK9M85lfSVbBuQo+mA+YakmLDTp8s8lW1WTiY
SATnyWCNI4Ze2dTVYasKM7rwkwHM5QAzP0VQD5Piy9f3eqdZVed/Zm5Btr6f5Kzi
v8Jpb6jwd5RhoOI7DH5rNfZXSJJeieg5/PRhlMAh8gZXnk1uabGa+BUVwKdgzoRB
VJaEKDPb2hLIkePHhhc2zH02Gnbhb4jkpDAHn+TIxWaIA9GVas8s1tluDuWXPvpn
CD8cU+hbvMR7pn+VpmAbG9YfO/Cw+sEAXjaW/KfnPTbk/Tz3+GkJb7N8fZfmuw4g
j/xMoamZdxA=
=Qz+r
-----END PGP SIGNATURE-----