A Vulnerability in FortiGate Firmware Could Allow Security Bypass

ITS Advisory Number: 
2016-141
Date(s) Issued: 
Friday, August 26, 2016
Subject: 
A Vulnerability in FortiGate Firmware Could Allow Security Bypass
Overview: 

FortiGate firmware (FortiOS) released before Aug 2012 has a cookie parser buffer overflow vulnerability. FortiOS is the operating system used by FortiGate network security platforms. This vulnerability, when exploited by a crafted HTTP request, can result in execution control being taken over.

Systems Affected: 

FortiGate (FortiOS) 

  • 4.3.8 and below

  • 4.2.12 and below

  • 4.1.10 and below

 

FortiSwitch

  • 3.4.2 and below

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
N/A
Description: 

FortiGate firmware (FortiOS) released before Aug 2012 has a cookie parser buffer overflow vulnerability. This vulnerability, when exploited through a maliciously crafted HTTP request, allows a malicious actor to replace the EGBL.config file with their own allowing execution control being taken over.

 

Work Arounds/Mitigating Details:

  • The following AV and IPS signatures block the potential attacks:

  • ELF/Adows.A!exploit since AV DB 36.803

  • IPS signature: FortiGate.Cookie.Buffer.Overflow since IPS DB 8.935

 

FortiOS:

  • Disable admin access via HTTP and HTTPS on all interfaces, and use SSH instead

  • On 4.3, if HTTP or HTTPS access is mandatory, one can restrict access to HTTP and HTTPS to a minimal set of authorized IP addresses, via the Local In policies

  • On 4.2 and 4.1, if HTTP or HTTPS access is mandatory, one can restrict access to the administration interfaces (including HTTP and HTTPS access) to a minimal set of authorized IP addresses, via the trusthost commands

 

FortiSwitch:

  • Disable admin access via HTTP and HTTPS on all interfaces, and use the CLI instead. Alternatively, restrict access to the administration interfaces (including HTTP and HTTPS access) to a minimal set of authorized IP addresses, via the 'trusthost' commands

Actions: 
  • Apply appropriate testing, apply applicable updates or follow the mitigation/workaround steps provided by Foritgate to vulnerable systems

    Upgrade to release 5.x;

  • Upgrade to release 4.3.9 or above for models not compatible with FortiOS 5.x;

  • FortiSwitch: Upgrade to release 3.4.3.

  • Verify no unauthorized system modifications have occurred on system before applying patch

  • Monitor intrusion detection systems for any signs of anomalous activity.

  • limit administrative access to trusted hosts for the affected products.