FortiGate privilege escalation through restore config

Summary

A privilege escalation vulnerability in FortiOS may allow admin users to elevate their profile to super_admin, via restoring modified configurations.

Affected Products

FortiOS 6.0.0 to 6.0.6 FortiOS 5.6.0 to 5.6.10 FortiOS 5.4 all versions and below.

Solutions

FortiOS 6.0 upgrade to 6.0.7 or 6.2.0 and above FortiOS 5.6 upgrade to 5.6.11 and above FortiOS 5.4 and below upgrade to 5.6.11 or above Workarounds: The conditions to achieve privilege escalation via this vulnerability are as follows: * Regular mode (no VDOM): The user's profile "Administrator Users" and "Maintenance" privileges are both set to "read-write" * VDOM mode: The user's profile "Administrator Users" and "Maintenance" privileges are both set to "read-write", and the user's profile's scope is set to "global" The following CLI commands prevent those conditions to be met: * Regular mode: config system accprofile edit [profile-name] set sysgrp custom config sysgrp-permission set admin none set mnt none end next end * VDOM mode: config system accprofile edit [profile-name] set scope vdom set sysgrp custom config sysgrp-permission set admin none set mnt none end next end Revision History: 04-02-2019 Initial version 08-21-2019 New fix on 5.6.11 released. 11-14-2019 New fix on 6.0.7 released. 05-22-2020 Add Reference.

Acknowledgement

Fortinet is pleased to thank independent researcher youssef El GARROUM for reporting this vulnerability under responsible disclosure.