PSIRTAuthentication bypass in administrative interface
Summary
An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
## Exploitation Status:
Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device's logs:user=Local_Process_Access
Please contact customer support for assistance.
## UPDATE:
Fortinet is aware of instances where this vulnerability was exploited to download the config file from the targeted devices, and to add a malicious super_admin account called 'fortigate-tech-support':<br/># show system admin<br/>edit fortigate-tech-support<br/>set accprofile super_admin<br/>set vdom root<br/>set password ENC [...]<br/>next<br/>
Please contact customer support for assistance.
## Workaround:
## FortiOS:
Disable HTTP/HTTPS administrative interface
OR
Limit IP addresses that can reach the administrative interface:<br/>config firewall address<br/>edit my_allowed_addresses<br/>set subnet <MY IP> <MY SUBNET><br/>end<br/>
Then create an Address Group:<br/>config firewall addrgrp<br/>edit MGMT_IPs<br/>set member my_allowed_addresses<br/>end<br/>
Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):<br/>config firewall local-in-policy<br/>edit 1<br/>set intf port1<br/>set srcaddr MGMT_IPs<br/>set dstaddr all<br/><br/>set action accept<br/>set service HTTPS HTTP<br/>set schedule always<br/><br/>set status enable<br/>next<br/><br/>edit 2<br/>set intf any<br/>set srcaddr all<br/>set dstaddr all<br/>set action deny<br/>set service HTTPS HTTP<br/>set schedule always<br/>set status enable<br/>end<br/>
If using non default ports, create appropriate service object for GUI administrative access:<br/>config firewall service custom<br/>edit GUI_HTTPS<br/>set tcp-portrange admin-sport<br/>next<br/><br/>edit GUI_HTTP<br/><br/>set tcp-portrange admin-port<br/>end<br/>
Use these objects instead of 'HTTPS HTTP' in the local-in policy 1 and 2 below.
UPDATE: When using an HA reserved management interface, the local in policy needs to be configured slightly differently - please see:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-a-local-in-policy-on-a-HA/ta-p/222005
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-a-local-in-policy-on-a-HA/ta-p/222005
Please contact customer support for assistance.
## FortiProxy:
Disable HTTP/HTTPS administrative interface
OR
For FortiProxy VM all versions or FortiProxy appliance 7.0.6:
Limit IP addresses that can reach the administrative interface (here: port1):<br/>config system interface<br/>edit port1<br/>set dedicated-to management<br/>set trust-ip-1 <MY IP> <MY SUBNET<br/>end<br/>
Please contact customer support for assistance.
## FortiSwitchManager:
DIsable HTTP/HTTPS administrative interface
Please contact customer support for assistance.
Affected Products
FortiOS versions 5.x, 6.x are NOT impacted.
FortiOS version 7.2.0 through 7.2.1
FortiOS version 7.0.0 through 7.0.6
FortiProxy version 7.2.0
FortiProxy version 7.0.0 through 7.0.6
FortiSwitchManager version 7.2.0
FortiSwitchManager version 7.0.0
Solutions
Please upgrade to FortiOS version 7.2.2 or above
Please upgrade to FortiOS version 7.0.7 or above
Please upgrade to FortiProxy version 7.2.1 or above
Please upgrade to FortiProxy version 7.0.7 or above
Please upgrade to FortiSwitchManager version 7.2.1 or above
Please upgrade to FortiSwitchManager version 7.0.1 or above
Please upgrade to FortiOS version 7.0.5 B8001 or above for FG6000F and 7000E/F
series platforms