FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
ericwang_FTNT
Article Id 192058
Description
An information disclosure vulnerability allows a network adjacent attacker to determine the TCP/IP stack state (including IP address, TCP sequences,etc) of the system via sending spoofed TCP packets to the target when the latter operates under a weak host model.

FortiOS.

FortiOS may be impacted only if 'asymroute' is enabled or if 'strict-src-check'is disabled.

FortiClient.

FortiClient may be impacted if the host system operates under a weak host model.

Scope
FortiOS IPsec VPN.

FortiClient IPsec VPN.

Solution
FortiOS.

Make sure 'asymroute' is disabled in system settings (note that this is the default):
# config vdom
    edit [vdom-name]
    # config system settings
        set asymroute disable
        set asymroute6 disable
    end
  next
end
If 'asymroute' is enabled, review the unit policy based on reference.

[1] (1. Determining the VPN client's virtual IP address part) attack scenarios.


If 'strict-src-check' is disabled (note that this is the default value), whether or not the system may be vulnerable depends on the unit policy or route settings.
Make sure 'stric-src-check' is enabled:

# config vdom
    edit [vdom-name]
    #config system settings
        set strict-src-check enable
    end
  next
end
If 'struct-src-check' is disabled, review the unit policy and route settings based on reference.

[1] (1. Determining the VPN client's virtual IP address part) attack scenarios.


For instance.

* When there is no policy allowing TCP packets from 192.168.12.1 to10.8.0.8, the system is not vulnerable.

* When there is a policy allowing TCP packets from 192.168.12.1 to 10.8.0.8:

** When 'asymroute is enabled, which equals to loose mode (RFC 3704 sections
2.4), the system is vulnerable.

** When 'strict-src-check' is enabled, which equals to strict mode (RFC 3704
sections 2.2), the system is not vulnerable.

** When 'strict-src-check is disabled, which equals to feasible mode (RFC 3704 sections 2.3), and there is an alternate route from 10.8.0.x to 192.168.12.x, the system may be vulnerable.

FortiClient.

It depends on the host system FortiClient is installed on, not on FortiClient per se.

Related articles:

[1]
https://seclists.org/oss-sec/2019/q4/122

[2]
https://en.wikipedia.org/wiki/Host_model

Related Articles

Technical Note: Details about FortiOS RPF (Reverse Path Forwarding), also called Anti-Spoofing

Technical Note : Reverse Path Forwarding (RPF) implementation and use of strict-src-check enable|dis...

Technical Note: How the FortiGate behaves when asymmetric routing is enabled

Contributors