PSIRTAuthentication bypass in administrative interface
Summary
An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
Exploitation Status:
Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device's logs:
user=Local_Process_Access
Please contact customer support for assistance.
UPDATE:
Fortinet is aware of instances where this vulnerability was exploited to download the config file from the targeted devices, and to add a malicious super_admin account called 'fortigate-tech-support':
# show system admin
edit fortigate-tech-support
set accprofile super_admin
set vdom root
set password ENC [...]
next
Please contact customer support for assistance.
Workaround:
FortiOS:
Disable HTTP/HTTPS administrative interface
OR
Limit IP addresses that can reach the administrative interface:
config firewall address
edit my_allowed_addresses
set subnet <MY IP> <MY SUBNET>
end
Then create an Address Group:
config firewall addrgrp
edit MGMT_IPs
set member my_allowed_addresses
end
Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):
config firewall local-in-policy
edit 1
set intf port1
set srcaddr MGMT_IPs
set dstaddr all
set action accept
set service HTTPS HTTP
set schedule always
set status enable
next
edit 2
set intf any
set srcaddr all
set dstaddr all
set action deny
set service HTTPS HTTP
set schedule always
set status enable
end
If using non default ports, create appropriate service object for GUI administrative access:
config firewall service custom
edit GUI_HTTPS
set tcp-portrange admin-sport
next
edit GUI_HTTP
set tcp-portrange admin-port
end
Use these objects instead of 'HTTPS HTTP' in the local-in policy 1 and 2 below.
UPDATE: When using an HA reserved management interface, the local in policy needs to be configured slightly differently - please see:
Please contact customer support for assistance.
FortiProxy:
Disable HTTP/HTTPS administrative interface
OR
For FortiProxy VM all versions or FortiProxy appliance 7.0.6:
Limit IP addresses that can reach the administrative interface (here: port1):
config system interface
edit port1
set dedicated-to management
set trust-ip-1 <MY IP> <MY SUBNET>
end
Please contact customer support for assistance.
FortiSwitchManager:
DIsable HTTP/HTTPS administrative interface
Please contact customer support for assistance.
| Version | Affected | Solution |
|---|---|---|
| FortiOS 7.2 | 7.2.0 through 7.2.1 | Upgrade to 7.2.2 or above |
| FortiOS 7.0 | 7.0.0 through 7.0.6 (special below for FG6000F and 7000E models) | Upgrade to 7.0.7 or above |
| FortiOS 6.4 | Not affected | Not Applicable |
| FortiOS 6.2 | Not affected | Not Applicable |
| FortiProxy 7.2 | 7.2.0 | Upgrade to 7.2.1 or above |
| FortiProxy 7.0 | 7.0.0 through 7.0.6 | Upgrade to 7.0.7 or above |
| FortiProxy 2.0 | Not affected | Not Applicable |
| FortiProxy 1.2 | Not affected | Not Applicable |
| FortiProxy 1.1 | Not affected | Not Applicable |
| FortiProxy 1.0 | Not affected | Not Applicable |
| FortiSwitchManager 7.2 | 7.2.0 | Upgrade to 7.2.1 or above |
| FortiSwitchManager 7.0 | 7.0.0 | Upgrade to 7.0.1 or above |
Please upgrade to FortiOS version 7.0.5 B8001 or above for FG6000F and 7000E/F series platforms