PSIRT Advisory

FortiOS flow-mode detection bypass under certain conditions

Summary

A FortiGate configured to use flow-based protection will stop monitoring network sessions that are active when a scanning engine is reloaded  after an update (nearly instantaneous process).
This tends to impact long lived network sessions, with chances to be alive during and after an update, such as SMBv3 sessions.

Description

A FortiGate configured to use flow-based protection will stop monitoring network sessions that are active when a scanning engine is reloaded after an update (nearly instantaneous process).
This tends to impact long lived network sessions, with chances to be alive during and after an update, such as SMBv3 sessions.

Impact

Protection bypass

Affected Products

FortiOS version 5.0.x
FortiOS version 5.2.x

Solutions

FortiGates in routed mode:
Upgrade to FortiOS 5.4.0, or stay in proxy-based protection mode (default).

FortiGates in transparent mode:
Upgrade to FortiOS 5.4.0.

For FortiOS 5.2 branch:
Load FortiOS 5.2 compatible[*] IPS engine 3.299 or above.

[*] Reach out to your local TAC for the compatibility support.

Acknowledgement

We are pleased to thank Yves Bieri, Stefan Frei, Christof Jungo of the Swisscom security  group, who discovered the issue while it was in the process of being fixed, and committed to responsible disclosure.