what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

fortigate.txt

fortigate.txt
Posted Oct 3, 2003
Authored by Maarten Hartsuijker

Fortigate firewall pre 2.50 maintenance release 4 has multiple vulnerabilities that allow a remote attacker to gain a username and password of the system.

tags | advisory, remote, vulnerability
SHA-256 | 95f4fdeaee40230c69c9cea9ca94971a53173dfd647a8898779d5907ae087821

fortigate.txt

Change Mirror Download
Issue: Several vulnerabilities in web interface of Fortigate firewall of
which the most serious one will allow a remote attacker to obtain a username
and password of the Fortigate.
Release: pre 2.50 maintenance release 4
Fixed in: Fortinet OS 2.50 MR4, available from FTP as of 29 Sept. 2003
Date: 14/sept/2003
Vendor first notified: 14/sept/2003

During a review of the FortiGate firewall, I noticed several security flaws
in their webapplication. Combining two of the issues could allow a remote
attacker to obtain a username and password of the fortigate. FortiNet has
fixed one of the most serious flaws in the maintenance release 4, that is
available for customers on their FTP as off this week. Since the other
issues have not yet been fixed, I will not disclose these details at this
time.
Web filter log parses unfiltered session details:
After the web filter has been enabled, the administrator has the ability to
review the web filter logs via the web interface. The web filter logs
contain the URL that has been denied by the filter. Because of the fact that
unwanted characters are not stripped from the denied URL, a remote attacker
is able to gain the credentials of an administrator, as soon as the
administrator reviews the logs.

An example:
Pages with the keyword "mp3-download" are denied by the web filter. The page
<https://192.168.5.11/maarten.html> contains such a keyword. A remote
attacker could poison the log files by retrieving ''
https://192.168.5.11/maarten.html<script>alert(oops)</script>

When altering the script a bit, the user credentials could easily be
forwarded to the attacker, who could then use these credentials to alter the
firewall if the administrator has not properly secured access to
HTTPS/SSH/TELNET/HTTP.

Solution:
1. A basic rule in firewall administration is to only allow connections to
the firewall-administration-options from specific IP addresses (or
preferably, specific IP addresses connecting from a management network to
the management interface of the firewall). When this best practise is
applyed, an attacker that manages to gain administration credentials as
described above, will not be able to abuse them too easily.
2. Manage your firewall from a dedicated workstation that has no connections
(directly OR through a proxy) to untrusted networks in order to avoid a
credential push as described above.
3. Upgrade FortiOS 2.50MR4, which (according to fortinet) does not contain
this problem.

The first two solutions will also prevent abusal by the issues that have not
yet been disclosed.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close