FortiOS malformed HTTP or SSL/TLS traffic control
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-19-111
Final
1
1
2019-07-24T00:00:00
Current version
2019-07-24T00:00:00
2019-07-24T00:00:00
FortiOS Explicit Web Proxy by default allows non-standard HTTP traffic. FortiOS SSL/SSH Inspection Profile by default allows non-standard SSL/TLS traffic.
Operational Risk, Traffic Bypass
By default, this possible operational risk is applicable to all FortiOS versions.
Non standard HTTP traffic can be disallowed with the following CLI commands: config web-proxy global set tunnel-non-http disable (default value "enable") end Non standard SSL/TLS traffic can be disallowed with the following CLI commands: config firewall ssl-ssh-profile edit [profile-name] config [protocols] set ports [port] set unsupported-ssl block (default value "bypass") end end Starting from 6.2.1, FortiOS allows administrators to disallow both via the admin WebUI as well: For Explicit Web Proxy: Network -> Explicit Proxy -> Protocol Enforcement (default is off) For SSL/SSH Inspection: Security Profiles -> SSL/SSH Inspection ->Enforce SSL Protocol Compliance (default is off)
Fortinet thank security research company Praetorian bringing this attention to us with certain proofs.
FortiOS 6.2.0
FortiOS malformed HTTP or SSL/TLS traffic control
FortiOS-6.2.0
5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:F/RL:X/RC:X
https://fortiguard.fortinet.com/psirt/FG-IR-19-111
FortiOS malformed HTTP or SSL/TLS traffic control
Reference>