PSIRT Advisory

Application control block page leaks private IP and hostname

Summary

The default replacement message in FortiOS' Application control block page reveals the private IP as well as the hostname of the FortiGate.

Impact

Information disclosure

Affected Products

FortiOS 5.6.5, 6.0.1 and below.

Solutions

Upgrade to FortiOS 5.6.6, 6.0.2 or later


Work around:
All the replacement messages are configurable by the administrators. The default replacement messages are just templates. An administrator can easily change them to suit their needs. For example, remove the server/client IPs and FortiOS host names.

Acknowledgement

Fortinet is pleased to thank Anandraj Amaran Security Researcher,22by7 solutions (22by7.in)  and Mark Oakton at Infosec Partners for reporting this vulnerability under responsible disclosure.