FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Debbie_FTNT
Staff
Staff
Article Id 190421
Description
This article describes how to configure the workaround mentioned in FG-IR-17-053 to FortiGates below version 6.0; the CLI commands mentioned in the advisory itself are only valid for 6.0.

Useful links:

Fortinet Documentation
Fortinet Advisory on FG-IR-17-053 “FortiOS admin privilege escalation via restoring configs”:
https://fortiguard.com/psirt/FG-IR-17-053

CLI guides for FortiOS:

https://docs.fortinet.com/product/fortigate/

Solution
There is a known vulnerability FG-IR-17-053 that can allow an admin to escalate their privileges via downloading, modifying the config file, and then restoring the modified config file.
To prevent this, these commands need to be set in 6.0:

Regular mode:

#config system accprofile
edit [profile-name]
set sysgrp custom
config sysgrp-permission
set admin none
set mnt none
end
next
end
VDOM mode:
config system accprofile
edit [profile-name]
set scope vdom
set sysgrp custom
config sysgrp-permission
set admin none
set mnt none
end
next
end


In 5.2, 5.4 and 5.6 the following syntax needs to be used instead:

Regular mode:

#config system accprofile
edit [profile-name]
set mntgrp none
set admingrp none
end

VDOM mode:

#config global
config system accprofile
edit [profile-name]
set mntgrp none
set admingrp none
end
end


Contributors