FortiOS CAPWAP server two vulnerabilities
Limitation of Capwap service, authenticated XSS
FortiOS with CAPWAP enabled:
5.2.2 and below
5.0.11 and below
Upgrade FortiOS to the following versions:
Make sure CAPWAP is disabled if not needed:
show system interface
Must not display "capwap" in the "allowaccess" entry. If it is present, the interface must be re-configured without capwap. For instance:
config system interface
set allowaccess ssh https
If CAPWAP is needed, the XSS vulnerability have been fixed starting with FortiOS 5.2.3.
Otherwise the following workarounds apply:
Regarding the DoS condition and the XSS vulnerability: Use a local-in policy to restrict access to the CAPWAP server to IP addresses of legitimate APs. Forinstance, to authorize only the 192.168.1.0/24 subnet:
config firewall address
set subnet 192.168.1.0 255.255.255.0
config firewall service custom
set udp-portrange 5246
config firewall local-in-policy
set intf "any"
set srcaddr "lan_subnet"
set dstaddr "all"
set service "capwap_udp"
set schedule "always"
Regarding the XSS vulnerability, to prevent a successful attacker from hijacking your user session in the GUI, make sure to restrict your Trusted Hosts to your IP address only:
Single-vdom configuration: System->Admin->Administrators
Multi-vdoms configuration: Global->Admin->Administrators