Description
OpenVAS/Nessus scanner reports that FortiOS is vulnerable to a format string on URI attack, specifically the Nessus plugin ID 15640.
After investigation, this proves to be a false positive scenario and FortiOS is not vulnerable.
Solution
The OpenVAS/Nessus alert can be
ignored as it is a false positive.
The scanner
builds multiple HTTP requests with the following
attributes:
Method: GET, HEAD, OPTIONS, TRACE, MOVE,
INDEX, MKDIR, RMDIR, PUT, DELETE
URI: "%08x", "%s",
"%#0123456x%08x%x%s%p%n%d%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%#0123456x%%x%%s%%p%%n%%d%%o%%u%%c%%h%%l%%q%%j%%z%%Z%%t%%i%%e%%g%%f%%a%%C%%S%%08x"
It
looks for the following grep matching pattern in the reply coming from
FortiOS: [0-9a-fA-F]{8}
It
can easily lead to a false positive which is the case
here.
FortiOS sends a 400 response code to the
scanner when receiving the request and includes a CSRF token to protect
the administrators user against CSRF attacks.
The
format of the CRSF token matches the regex hence trigger the
vulnerability alert.
cURL example with 192.168.1.1
being the target device:
$ curl -s
http://192.168.1.1/%s | egrep [0-9a-fA-F]{8}
<div
style='display:none'><input type='hidden'
name='csrfmiddlewaretoken' value='6fafa724b48c389453e7a3c8593b8834'
/></div><div class="dlg"
>
It should be taken into consideration that
HTTP has been used in the above example to demonstrate how the
OpenVAS/Nessus scan operates.
Fortinet PSIRT
recommends to use HTTPS on any Fortinet devices for web administrative
access.