Search the Community

FortiGate SSL VPN Portal versions 5.6.2 and below, 5.4.6 and below, 5.2.12 and below, and 5.0 and below suffer from a cross site scripting vulnerability. ======================================================================= title: FortiGate SSL VPN Portal XSS Vulnerability product: Fortinet FortiOS vulnerable version: see: Vulnerable / tested versions fixed version: see: Solution CVE number: CVE-2017-14186 impact: Medium homepage: https://www.fortinet.com found: 2017-10-02 by: Stefan Viehböck (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "From the start, the Fortinet vision has been to deliver broad, truly integrated, high-performance security across the IT infrastructure. We provide top-rated network and content security, as well as secure access products that share intelligence and work together to form a cooperative fabric. Our unique security fabric combines Security Processors, an intuitive operating system, and applied threat intelligence to give you proven security, exceptional performance, and better visibility and control--while providing easier administration." Source: https://www.fortinet.com/corporate/about-us/about-us.html Vulnerability overview/description: ----------------------------------- The FortiGate SSL VPN Portal is prone to a reflected cross-site scripting (XSS) vulnerability. The HTTP GET parameter "redir" is vulnerable. An attacker can exploit this vulnerability by tricking a victim to visit a URL. The attacker is able to hijack the session of the attacked user, and use this vulnerability in the course of spear-phishing attacks, e.g. by displaying a login prompt that sends credentials of victim back to the attacker. Note: This vulnerability is also an open redirect and is very similar to a vulnerability that was fixed in FortiOS in March 2016 (FG-IR-16-004). https://www.fortiguard.com/psirt/fortios-open-redirect-vulnerability Proof of concept: ----------------- The following request exploits the issue: https://vpn.<SERVER>.com/remote/loginredir?redir=javascript:alert(%22XSS%20%22%2Bdocument.location) The server responds with a page that looks as follows: --------------------------------------------------------------------------------------------------- <html><head> <script language="javascript"> document.location=decodeURIComponent("javascript%3Aalert%28%22XSS%20%22%2Bdocument.location%29"); </script> </head></html> --------------------------------------------------------------------------------------------------- Vulnerable / tested versions: ----------------------------- FortiOS 5.6.0 -> 5.6.2 FortiOS 5.4.0 -> 5.4.6 FortiOS 5.2.0 -> 5.2.12 FortiOS 5.0 and below More information can be found at: https://fortiguard.com/psirt/FG-IR-17-242 Vendor contact timeline: ------------------------ 2017-10-02: Contacting vendor through psirt@fortinet.com 2017-10-03: Vendor confirms vulnerability, assigns CVE-2017-14186. Expected fix in version 5.6.3 2017-11-23: Vendor provides update 2017-11-29: Coordinated public release of advisory Solution: --------- FortiOS 5.6 branch: Upgrade to upcoming 5.6.3 (ETA: November 27th) FortiOS 5.4 branch: Upgrade to 5.4.6 special build (*) or upcoming 5.4.7 (ETA Dec 7th) FortiOS 5.2 branch: Upgrade to 5.2.12 special build (*) or upcoming 5.2.13 (ETA: Dec 14th) More information can be found at: https://fortiguard.com/psirt/FG-IR-17-242 Workaround: ----------- Not available. # 0day.today [2017-12-04] # Source: 0day.today