FortiGate SSL VPN Portal 5.x Cross Site Scripting

2017.12.04
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79

SEC Consult Vulnerability Lab Security Advisory < 20171129-0 > ======================================================================= title: FortiGate SSL VPN Portal XSS Vulnerability product: Fortinet FortiOS vulnerable version: see: Vulnerable / tested versions fixed version: see: Solution CVE number: CVE-2017-14186 impact: Medium homepage: https://www.fortinet.com found: 2017-10-02 by: Stefan Viehböck (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "From the start, the Fortinet vision has been to deliver broad, truly integrated, high-performance security across the IT infrastructure. We provide top-rated network and content security, as well as secure access products that share intelligence and work together to form a cooperative fabric. Our unique security fabric combines Security Processors, an intuitive operating system, and applied threat intelligence to give you proven security, exceptional performance, and better visibility and control--while providing easier administration." Source: https://www.fortinet.com/corporate/about-us/about-us.html Vulnerability overview/description: ----------------------------------- The FortiGate SSL VPN Portal is prone to a reflected cross-site scripting (XSS) vulnerability. The HTTP GET parameter "redir" is vulnerable. An attacker can exploit this vulnerability by tricking a victim to visit a URL. The attacker is able to hijack the session of the attacked user, and use this vulnerability in the course of spear-phishing attacks, e.g. by displaying a login prompt that sends credentials of victim back to the attacker. Note: This vulnerability is also an open redirect and is very similar to a vulnerability that was fixed in FortiOS in March 2016 (FG-IR-16-004). https://www.fortiguard.com/psirt/fortios-open-redirect-vulnerability Proof of concept: ----------------- The following request exploits the issue: https://vpn.<SERVER>.com/remote/loginredir?redir=javascript:alert(%22XSS%20%22%2Bdocument.location) The server responds with a page that looks as follows: --------------------------------------------------------------------------------------------------- <html><head> <script language="javascript"> document.location=decodeURIComponent("javascript%3Aalert%28%22XSS%20%22%2Bdocument.location%29"); </script> </head></html> --------------------------------------------------------------------------------------------------- Vulnerable / tested versions: ----------------------------- FortiOS 5.6.0 -> 5.6.2 FortiOS 5.4.0 -> 5.4.6 FortiOS 5.2.0 -> 5.2.12 FortiOS 5.0 and below More information can be found at: https://fortiguard.com/psirt/FG-IR-17-242 Vendor contact timeline: ------------------------ 2017-10-02: Contacting vendor through psirt@fortinet.com 2017-10-03: Vendor confirms vulnerability, assigns CVE-2017-14186. Expected fix in version 5.6.3 2017-11-23: Vendor provides update 2017-11-29: Coordinated public release of advisory Solution: --------- FortiOS 5.6 branch: Upgrade to upcoming 5.6.3 (ETA: November 27th) FortiOS 5.4 branch: Upgrade to 5.4.6 special build (*) or upcoming 5.4.7 (ETA Dec 7th) FortiOS 5.2 branch: Upgrade to 5.2.12 special build (*) or upcoming 5.2.13 (ETA: Dec 14th) More information can be found at: https://fortiguard.com/psirt/FG-IR-17-242 Workaround: ----------- Not available. Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Stefan Viehböck / @2017


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top