FortiGate default configuration does not verify the LDAP server identity.

Summary

A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.

Impact Detail

Information Disclosure

Affected Products

FortiOS 6.2.0 and below.

Solutions

For users running versions 6.0.3 to 6.2.0, enabling the CLI option that checks for LDAP server identity entirely prevents the issue. This option can be enabled only if secure and ca-cert of the LDAP server are set. config user ldap edit ldap-server set ca-cert set secure ldaps set server-identity-check enable FortiOS 6.2.1 and above have server-identity-check enabled by default, when installed from scratch. However, for compatibility reasons, the value of server-identity-check is kept unchanged throughout firmware upgrading. In other words, upgrading from 6.0.3 - 6.2.0 to 6.2.1 and above does not suffice to thwart the issue: server-identity-check must be enabled (prior the upgrade of after, indifferently).

Acknowledgement

Fortinet is pleased to thank James Renken from the Internet Security Research Group and Florian Thiele for bringing this issue to our attention under responsible disclosure.