An authentication bypass exploiting an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy, and FortiSwitchManager may allow an unauthenticated attacker to perform operations on the administrative interface using specially crafted HTTP or HTTPS requests. If this vulnerability is exploited, outsiders could get complete administrative rights.
This vulnerability has a severity level that is critical and affected products should be checked immediately.
Exploitation Status
Fortinet is aware of an incident in which this vulnerability was exploited and advises that you validate your systems immediately against the following indicator of compromise in the device’s logs:
user=”Local_Process_Access”
Affected Products
FortiOS version 7.2.0 through 7.2.1
FortiOS version 7.0.0 through 7.0.6
FortiProxy version 7.2.0
FortiProxy version 7.0.0 through 7.0.6
FortiSwitchManager version 7.2.0
FortiSwitchManager version 7.0.0
Workaround
FortiOS:
Disable HTTP/HTTPS administrative interface
OR
Limit IP addresses that can reach the administrative interface:
config firewall address
edit “my_allowed_addresses”
set subnet
end
Then create an Address Group:
config firewall addrgrp
edit “MGMT_IPs”
set member “my_allowed_addresses”
end
Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):
config firewall local-in-policy
edit 1
set intf port1
set srcaddr “MGMT_IPs”
set dstaddr “all”
set action accept
set service HTTPS HTTP
set schedule “always”
set status enable
next
edit 2
set intf “any”
set srcaddr “all”
set dstaddr “all”
set action deny
set service HTTPS HTTP
set schedule “always”
set status enable
end
If using non default ports, create appropriate service object for GUI administrative access:
config firewall service custom
edit GUI_HTTPS
set tcp-portrange
next
edit GUI_HTTP
set tcp-portrange
end
Use these objects instead of “HTTPS HTTP “in the local-in policy 1 and 2 below.
Please contact customer support for assistance.
FortiProxy:
Disable HTTP/HTTPS administrative interface
OR
Limit IP addresses that can reach the administrative interface (here: port1):
config system interface
edit port1
set dedicated-to management
set trust-ip-1
end
Please contact customer support for assistance.
FortiSwitchManager:
Disable HTTP/HTTPS administrative interface
Please contact customer support for assistance.
In order to protect your business, employees, and IT infrastructure you must take a proactive approach. Through the use of Layered Security Strategy, our experts can ensure that your assets are properly protected and secure. Reach out to us if you’d like to learn more by using the information below!