FortiWeb's cookie tampering protection can be bypassed by erasing the FortiWeb session cookie
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-17-279
Final
1
1
2018-03-06T00:00:00
Current version
2018-03-06T00:00:00
2018-03-06T00:00:00
An improper access control vulnerability in FortiWeb's Signed Security mode may allow an attacker to disable the cookie tampering protection offered by FortiWeb (to sites FortiWeb protects), via deleting FortiWeb's session cookie.
Improper Access Control
FortiWeb all versions below 6.1.0, starting from 5.6.0.
Upgrade to FortiWeb 6.1.0 and ensure the "Allow Suspicious Cookies" value is set to "Never" or "Custom" (default value) when "Security Mode" is set to "Signed".Workarounds:A simple workaround with no downside is available for impacted versions, as described below:Use "Encrypted" security mode instead of "Signed" security mode. Cookies set by protected web-sites will then be encrypted by FortiWeb before passing them on to the end-users. Attackers being unaware of the encryption key, cookie tampering will remain impossible, and removing FortiWeb's own session cookie will not enable protection bypass.From the FortiWeb GUI, choose "Encrypted" Security Mode under Web Protection > Cookie Security.From the FortiWeb CLI, set security-mode to "encrypted" instead "signed":config waf cookie-securityedit [cookie-security_name]set security-mode {no | encrypted* | signed}nextendFurther Reference: http://help.fortinet.com/fweb/580/Content/FortiWeb/fortiweb-admin/cookie_security.htmRevision History:2018-03-06 Initial Version2019-04-01 Formal solution provided in FortiWeb 6.1.0
Fortinet is pleased to thank independent researcher "Yavuz Özdemir" from 4S information Technology for reporting this vulnerability under responsible disclosure.
FortiWeb 6.0.8
FortiWeb 6.0.7
FortiWeb 6.0.5
FortiWeb 6.0.4
FortiWeb 6.0.3
FortiWeb 6.0.2
FortiWeb 6.0.1
FortiWeb 6.0.0
FortiWeb 5.9.2
FortiWeb 5.9.1
FortiWeb 5.9.0
FortiWeb 5.8.7
FortiWeb 5.8.6
FortiWeb 5.8.5
FortiWeb 5.8.3
FortiWeb 5.8.2
FortiWeb 5.8.1
FortiWeb 5.8.0
FortiWeb 5.7.3
FortiWeb 5.7.2
FortiWeb 5.7.1
FortiWeb 5.7.0
FortiWeb 5.6.2
FortiWeb 5.6.1
FortiWeb 5.6.0
FortiWeb's cookie tampering protection can be bypassed by erasing the FortiWeb session cookie
CVE-2017-14191
FortiWeb-6.0.8
FortiWeb-6.0.7
FortiWeb-6.0.5
FortiWeb-6.0.4
FortiWeb-6.0.3
FortiWeb-6.0.2
FortiWeb-6.0.1
FortiWeb-6.0.0
FortiWeb-5.9.2
FortiWeb-5.9.1
FortiWeb-5.9.0
FortiWeb-5.8.7
FortiWeb-5.8.6
FortiWeb-5.8.5
FortiWeb-5.8.3
FortiWeb-5.8.2
FortiWeb-5.8.1
FortiWeb-5.8.0
FortiWeb-5.7.3
FortiWeb-5.7.2
FortiWeb-5.7.1
FortiWeb-5.7.0
FortiWeb-5.6.2
FortiWeb-5.6.1
FortiWeb-5.6.0
5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:F/RL:X/RC:X
https://fortiguard.fortinet.com/psirt/FG-IR-17-279
FortiWeb's cookie tampering protection can be bypassed by erasing the FortiWeb session cookie
Reference>