PSIRT Advisory

Unauthenticated SSL VPN users password modification

Summary

An Improper Authorization vulnerability in the SSL VPN web portal may allow an unauthenticated attacker to change the password of an SSL VPN web portal user via specially crafted HTTP requests.

Affected Products

FortiOS 6.0.0 to 6.0.4 

FortiOS 5.6.0 to 5.6.8 

FortiOS 5.4.1 to 5.4.10

Only if the SSL VPN service (web-mode or tunnel-mode) is enabled.


Note that only users with local authentication are affected; SSL VPN users with remote authentication (LDAP or RADIUS) are not impacted.


Versions 5.4.0 and below (including branch 5.2) are not affected.

Solutions

Upgrade to FortiOS 5.4.11, 5.6.9, 6.0.5, 6.2.0 or above.


Workaround:


The only workaround is to migrate SSL VPN user authentication from local to remote (LDAP or RADIUS), or totally disable the SSL-VPN service (both web-mode and tunnel-mode) by applying the following CLI commands:


config vpn ssl settings
unset source-interface
end


Note that firewall policies tied to SSL VPN will need to be unset first for the above sequence to execute successfully.


As an example, when source-interface is "port1" and SSL VPN interface is "ssl.root", the following CLI commands would be needed to ensure "unset source-interface" executes successfully:


config vpn ssl settings
config authentication-rule
purge (purge all authentication-rules)
end
end

config firewall policy
delete [policy-id] (SSL VPN policy ID(s) that srcintf is "ssl.root" and dstintf is "port1")
end


Revision History:

2019-05-24 Initial version
2019-06-04 Clarified the affected versions and workarounds.

Acknowledgement

Fortinet is pleased to thank Meh Chang and Orange Tsai from DEVCORE Security Research Team for reporting this vulnerability under responsible disclosure.