FortiGate privilege escalation through restore config

Summary

A privilege escalation vulnerability in FortiOS may allow admin users to elevate their profile to super_admin, via restoring modified configurations.

Affected Products

FortiOS 6.0.0 to 6.0.6
FortiOS 5.6.0 to 5.6.10
FortiOS 5.4 all versions and below.

Solutions

FortiOS 6.0 upgrade to 6.0.7 or 6.2.0 and above
FortiOS 5.6 upgrade to 5.6.11 and above
FortiOS 5.4 and below upgrade to 5.6.11 or above
Workarounds:
The conditions to achieve privilege escalation via this vulnerability are as follows:
* Regular mode (no VDOM):
The user's profile "Administrator Users" and "Maintenance" privileges are both set to "read-write"
* VDOM mode:
The user's profile "Administrator Users" and "Maintenance" privileges are both set to "read-write", and the user's profile's scope is set to "global"
The following CLI commands prevent those conditions to be met:
* Regular mode:
config system accprofile
edit [profile-name]
set sysgrp custom
config sysgrp-permission
set admin none
set mnt none
end
next
end
* VDOM mode:
config system accprofile
edit [profile-name]
set scope vdom
set sysgrp custom
config sysgrp-permission
set admin none
set mnt none
end
next
end
Revision History:
04-02-2019 Initial version
08-21-2019 New fix on 5.6.11 released.
11-14-2019 New fix on 6.0.7 released.
05-22-2020 Add Reference.

Acknowledgement

Fortinet is pleased to thank independent researcher youssef El GARROUM for reporting this vulnerability under responsible disclosure.

References

• https://kb.fortinet.com/kb/documentLink.do?externalID=FD45563