FortiOS SSL VPN web portal Host Header Redirection

Summary

A Host Header Redirection vulnerability exists in FortiOS SSL-VPN web portal: when an attacker submits specially crafted HTTP requests, the SSL-VPN web portal may respond with a redirection to websites specified by the attacker.

If a web proxy's cache is poisoned with the aforementioned redirection, users of this web proxy may be directed to the attacker's specified websites when trying to access the SSL-VPN web portal.

Affected Products

FortiOS 5.4.0 to 6.0.4, 5.2.14 and below.

Solutions

Upgrade to FortiOS 5.2.15, 6.0.5 or 6.2.0 Workarounds: The risk is low as the attack needs to be combined with other attacks to have an impact. As a measure of precaution, administrators may want to disable the SSL-VPN web portal service by applying the following CLI commands: config vpn ssl settings unset source-interface end Revision History: 2019-05-17 Initial version 2020-01-03 New fix on 5.2.15 released.

Acknowledgement

Fortinet is pleased to thank Julio Sanchez from SecureAuth Corporation for reporting this vulnerability under responsible disclosure.