PSIRT Advisory

FortiOS CAPWAP server two vulnerabilities

Impact

Limitation of Capwap service, authenticated XSS

Affected Products

FortiOS with CAPWAP enabled:
5.2.2 and below
5.0.11 and below

Solutions

Upgrade FortiOS to the following versions:
5.4.0
5.2.3
5.0.12
Workaround:
Make sure CAPWAP is disabled if not needed:
show system interface
Must not display "capwap" in the "allowaccess" entry. If it is present, the interface must be re-configured without capwap. For instance:
config system interface
    edit "port1"
        set allowaccess ssh https
    end
end
If CAPWAP is needed, the XSS vulnerability have been fixed starting with FortiOS 5.2.3.
Otherwise the following workarounds apply:
Regarding the DoS condition and the XSS vulnerability: Use a local-in policy to restrict access to the CAPWAP server to IP addresses of legitimate APs. Forinstance, to authorize only the 192.168.1.0/24 subnet:
config firewall address
    edit "lan_subnet"
    set subnet 192.168.1.0 255.255.255.0
    next
end
config firewall service custom
    edit "capwap_udp"
        set udp-portrange 5246
    next
end
config firewall local-in-policy
    edit 0
        set intf "any"
        set srcaddr "lan_subnet"
        set dstaddr "all"
        set service "capwap_udp"
        set schedule "always"
    next
end
Regarding the XSS vulnerability, to prevent a successful attacker from hijacking your user session in the GUI, make sure to restrict your Trusted Hosts to your IP address only:
Single-vdom configuration: System->Admin->Administrators
Multi-vdoms configuration: Global->Admin->Administrators