Update, Nov 2020:
More than a year after Fortinet described this SSLVPN vulnerability, it gets new attention. A few days ago a list of IPs and domain names of vulnerable Fortigates was published. This list is dated November 2019 and one can only hope that many of these systems have already been patched.
Two days ago, this list was extended with usernames and passwords that were exploted via this vulnerability. Even if the Fortigates have been patched – as long as the passwords have not been changed, an attacker could still use them to gain access to protected networks.
This example again teaches us two things that we have known for a long time:
First, regular updates of the Fortigate should be common practice. But at the latest when the vendor informs about security vulnerabilities, an update to a patched version is absolutely necessary. Sure, currently you have to ask yourself seriously if you should update to v6.2 or v6.4, but at least v6.0 with the current patch release should be the minimum. And second, passwords have to be changed regularly and even better they have to be secured by MFA.
Original blog article (April 2019):
Auf dem FortiGate wurden einige Schwachstellen im SSLVPN Portal bekannt. Diese reichen von Weiterleitungen durch Cross-Site-Scripts (XSS) bis hin zum Download Systemdateien und das Zurücksetzen von Benutzerkennwörtern.
FortiGate SSL VPN web portal login redir XSS vulnerability (FG-IR-17-242, CVE-2017-14186)
Unauthenticated SSL VPN users password modification (FG-IR-18-389, CVE-2018-13382)
FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests (FG-IR-18-384, CVE-2018-13379)
Um diese Schwachstellen zu beheben, hat Fortinet folgende Releases freigegeben:
FortiOS 5.4.x –> Fix Release 5.4.11
FortiOS 5.6.x –> Fix Release 5.6.9
FortiOS 6.0.x –> Fix Release 6.0.5
FortiOS 6.2.0 ist nicht betroffen
Wir raten daher ausdrücklich zu einem Update auf eine FortiOS Version, welche die Schwachstellen gefixt hat. Halten Sie sich jedoch auch hierbei an unseren Leitfaden zu einem erfolgreichen Update.
Wir werden diesen Blog Eintrag aktualisieren, sobald uns genauere Informationen vorliegen.
Quellen:
https://fortiguard.com/psirt/FG-IR-17-242
https://fortiguard.com/psirt/FG-IR-18-389
https://fortiguard.com/psirt/FG-IR-18-384
FortiOS 5.4 wird seit Dezember 2018 nicht mehr aktiv weiterentwickelt, weshalb wir zur Verwendung von einem neueren Release raten.
BOLL Fortinet Firmware Newsletter: Subscribe