tagline: Confidence in the Connected World
CIS Logo
HomeResourcesAdvisoriesA Vulnerability in FortiGate Firmware Could Allow Security Bypass

A Vulnerability in FortiGate Firmware Could Allow Security Bypass

MS-ISAC ADVISORY NUMBER:

2016-126

DATE(S) ISSUED:

08/26/2016

OVERVIEW:

FortiGate firmware (FortiOS) released before Aug 2012 has a cookie parser buffer overflow vulnerability. FortiOS is the operating system used by FortiGate network security platforms. This vulnerability, when exploited by a crafted HTTP request, can result in execution control being taken over.

THREAT INTELLIGENCE:

This vulnerability has been publicly disclosed and a tool exists to perform the exploit. There are currently no reports of this vulnerability being exploited in the wild.

SYSTEMS AFFECTED:

  • FortiGate (FortiOS) 4.3.8 and below
  • FortiGate (FortiOS) 4.2.12 and below
  • FortiGate (FortiOS) 4.1.10 and below
  • FortiSwitch 3.4.2 and below

RISK:

Goverment:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
N/A

TECHNICAL SUMMARY:

FortiGate firmware (FortiOS) released before Aug 2012 has a cookie parser buffer overflow vulnerability. This vulnerability, when exploited through a maliciously crafted HTTP request, allows a malicious actor to replace the EGBL.config file with their own allowing execution control being taken over.

Work Arounds/Mitigating Details:
The following AV and IPS signatures block the potential attacks:
ELF/Adows.A!exploit since AV DB 36.803
IPS signature: FortiGate.Cookie.Buffer.Overflow since IPS DB 8.935

FortiOS:
Disable admin access via HTTP and HTTPS on all interfaces, and use SSH instead
On 4.3, if HTTP or HTTPS access is mandatory, one can restrict access to HTTP and HTTPS to a minimal set of authorized IP addresses, via the Local In policies
On 4.2 and 4.1, if HTTP or HTTPS access is mandatory, one can restrict access to the administration interfaces (including HTTP and HTTPS access) to a minimal set of authorized IP addresses, via the trusthost commands

FortiSwitch:
Disable admin access via HTTP and HTTPS on all interfaces, and use the CLI instead. Alternatively, restrict access to the administration interfaces (including HTTP and HTTPS access) to a minimal set of authorized IP addresses, via the ˜trusthost commands

RECOMENDATIONS:

We recommend the following actions be taken:

Install appropriate updates or follow mitigation/workaround steps provided by Foritgate after appropriate testing.
Upgrade to release 5.x;
Upgrade to release 4.3.9 or above for models not compatible with FortiOS 5.x;
FortiSwitch: Upgrade to release 3.4.3.
Verify no unauthorized system modifications have occurred on system before applying patch.
Monitor intrusion detection systems for any signs of anomalous activity.
Unless required, limit administrative access to trusted hosts for the affected products.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Controls That Help Avoid This Issue Arrow CIS Control 4: Continuous Vulnerability Assessment and Remediation Arrow CIS Control 11: Secure Configurations for Network Devices

Information Hub: Advisories