PSIRT

SSL VPN web portal Host Header Redirection

Summary

A Host Header Redirection vulnerability exists in FortiOS SSL-VPN web portal: when an attacker submits specially crafted HTTP requests, the SSL-VPN web portal may respond with a redirection to websites specified by the attacker.
If a web proxy's cache is poisoned with the aforementioned redirection, users of this web proxy may be directed to the attacker's specified websites when trying to access the SSL-VPN web portal.

Affected Products

FortiOS 5.4.0 to 6.0.4, 5.2.14 and below.

Solutions

Upgrade to FortiOS 5.2.15, 6.0.5 or 6.2.0
Workarounds:
The risk is low as the attack needs to be combined with other attacks to have an impact.
As a measure of precaution, administrators may want to disable the SSL-VPN web portal service by applying the following CLI commands:
config vpn ssl settings
unset source-interface
end
Revision History:
2019-05-17 Initial version
2020-01-03 New fix on 5.2.15 released.

Acknowledgement

Fortinet is pleased to thank Julio Sanchez from SecureAuth Corporation for reporting this vulnerability under responsible disclosure.

IR Number	FG-IR-19-002
Published Date	Jan 3, 2020
Component	SSL-VPN
Severity	Low
CVSSv3 Score	3.6
Impact	Improper access control
CVE ID	CVE-2018-13384
CVRF	Download
Language

Protect

Detect

Respond

Recover

Identify

Network Security

Endpoint Security

Application Security

Security Operations

PSIRT

SSL VPN web portal Host Header Redirection

Summary

Affected Products

Solutions

Acknowledgement

News/Research

Research Center

PSIRT Center

Services

By Outbreak

By Solution

By Product

Protect

Detect

Respond

Recover

Identify

Network Security

Endpoint Security

Application Security

Security Operations

Threat Intelligence Center

Resource Center

About

FortiGuard Labs

Partners

PSIRT

SSL VPN web portal Host Header Redirection

Summary

Affected Products

Solutions

Acknowledgement

Threat Intelligence
Center