Jump to content
  • SeedTheNet
  • FortiOS / FortiProxy / FortiSwitchManager - Authentication bypass on administrative interface


    SeedTheNet

    FortiOS / FortiProxy / FortiSwitchManager - Authentication bypass on administrative interface

    Summary

    An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.

     

    Exploitation Status:

    Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device's logs:

    user="Local_Process_Access" 

    Please contact customer support for assistance.

     

    UPDATE: Fortinet is aware of instances where this vulnerability was exploited to download the config file from the targeted devices, and to add a malicious super_admin account called  "fortigate-tech-support":

    # show system admin
    edit "fortigate-tech-support"
    set accprofile "super_admin"
    set vdom "root"
    set password ENC [...]
    next

    Please contact customer support for assistance.

     

    Workaround:

    FortiOS:

    Disable HTTP/HTTPS administrative interface

    OR

    Limit IP addresses that can reach the administrative interface:

    config firewall address

    edit "my_allowed_addresses"

    set subnet <MY IP> <MY SUBNET>

    end

    Then create an Address Group:

    config firewall addrgrp

    edit "MGMT_IPs"

    set member "my_allowed_addresses"

    end

    Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):

    config firewall local-in-policy

    edit 1

    set intf port1

    set srcaddr "MGMT_IPs"

    set dstaddr "all"

    set action accept

    set service HTTPS HTTP

    set schedule "always"

    set status enable

    next

    edit 2

    set intf "any"

    set srcaddr "all"

    set dstaddr "all"

    set action deny

    set service HTTPS HTTP

    set schedule "always"

    set status enable

    end

    If using non default ports, create appropriate service object for GUI administrative access:

    config firewall service custom

    edit GUI_HTTPS

    set tcp-portrange <admin-sport>

    next

    edit GUI_HTTP

    set tcp-portrange <admin-port>

    end

    Use these objects instead of "HTTPS HTTP "in the local-in policy 1 and 2 below.

    UPDATE: When using an HA reserved management interface, the local in policy needs to be configured slightly differently - please see: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-a-local-in-policy-on-a-HA/ta-p/222005

    Please contact customer support for assistance.

     

    FortiProxy:

    Disable HTTP/HTTPS administrative interface

    OR

    For FortiProxy VM all versions or FortiProxy appliance 7.0.6:

    Limit IP addresses that can reach the administrative interface (here: port1):

    config system interface

    edit port1

    set dedicated-to management

    set trust-ip-1 <MY IP> <MY SUBNET>

    end

    Please contact customer support for assistance.

     

    FortiSwitchManager:

    DIsable HTTP/HTTPS administrative interface

    Please contact customer support for assistance.

    Affected Products

    FortiOS versions 5.x, 6.x are NOT impacted.
    FortiOS version 7.2.0 through 7.2.1
    FortiOS version 7.0.0 through 7.0.6
    FortiProxy version 7.2.0
    FortiProxy version 7.0.0 through 7.0.6
    FortiSwitchManager version 7.2.0
    FortiSwitchManager version 7.0.0

    Solutions

    Please upgrade to FortiOS version 7.2.2 or above
    Please upgrade to FortiOS version 7.0.7 or above
    Please upgrade to FortiProxy version 7.2.1 or above
    Please upgrade to FortiProxy version 7.0.7 or above
    Please upgrade to FortiSwitchManager version 7.2.1 or above
    Please upgrade to FortiSwitchManager version 7.0.1 or above

    Please upgrade to FortiOS version 7.0.5 B8001 or above for FG6000F and 7000E/F series platforms


    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...

Important Information

Privacy Policy