Description
At the recent Black Hat 2019 conference held in Las Vegas August 3-8, security researchers discussed their discovery of security vulnerabilities that impacted several security vendors, including Fortinet. All of the vulnerabilities impacting Fortinet were fixed in April and May of 2019. FortiOS 5.4.13, 5.6.11, 6.0.6 or 6.2.2 are recommended
SSL VPN VULNERABILITIES:
Two of the vulnerabilities directly affecting Fortinet’s implementation of SSL VPN are:
- CVE-2018-13379 (FG-IR-18-384) – This is a path-traversal vulnerability in the FortiOS SSL VPN web portal that could potentially allow an unauthenticated attacker to download files through specially crafted HTTP resource requests. Fortinet advises customers to upgrade to FortiOS 5.4.13, 5.6.11, 6.0.6, 6.2.2.
- CVE-2018-13383 (FG-IR-18-388) – This heap buffer overflow vulnerability in the FortiOS SSL VPN web portal could cause the SSL VPN web service to terminate for logged in users. It could also potentially allow remote code execution on FortiOS due to a failure to handle JavaScript href content properly. This would require an authenticated user to visit a specifically-crafted and proxied webpage. Fortinet advises customers to upgrade to FortiOS 5.6.11, 6.0.6 or 6.2.2 and above.
REMOTE PASSWORD CHANGE VULNERABILITIES:
In May 2019 FortiOS included a “magic” string value that had been previously created at the request of a customer to enable users to implement a password change process when said password was expiring.
That function had been inadvertently bundled into the general FortiOS release, and an Improper Authorization vulnerability resulted in that value being usable on its own to remotely change the password of an SSL VPN web portal user without credentials.
Note: Only users with local authentication were affected - SSL VPN users with remote authentication (LDAP or RADIUS) were not impacted. Here are the details:
- CVE-2018-13382 (FG-IR-18-389) An Improper Authorization vulnerability in the SSL VPN web portal might allow an unauthenticated attacker to change the password of an SSL VPN web portal user using specially crafted HTTP requests. Fortinet advises customers to upgrade to FortiOS 5.4.13, 5.6.11, 6.0.6 or 6.2.2 or above.
REMEDIES:
In May, FortiGuard Labs released patches for CVE-2018-13379, CVE-2018-13383, and CVE-2018-13382. A patch has also been released for all affected versions of FortiOS for this vulnerability.
Our customer’s security is our first priority and Fortinet urges customers to immediately implement all appropriate patch updates and signatures.
In addition to industry-leading best practices, Fortinet follows and complies with regular review processes that include multiple tiers of inspection, internal and third-party audits, and automated triggers and tools across the entire development of our source code.
Fortinet have strengthened their processes and best practices, including:
- Yearly secure code training
- RTF (remediate the flag) tournaments for developers
- A bug identification incentive program
- Mandatory sign off on our Secure Coding Handbook for developers based on OWASP and industry best practices
- Periodic black box assessments of products using an adversary approach and performed by different independent third parties
- Automated monitoring of the vulnerability landscape via web and mailing lists crawlers
Contact Fortinet Customer Services and Support if further information is required.
