FortiGate SSL VPN Portal XSS Vulnerability

Project Description

The FortiGate SSL VPN Portal is prone to a reflected cross-site scripting (XSS) vulnerability. An attacker is able to hijack the session of the attacked user, and use this vulnerability in the course of spear-phishing attacks, e.g. by displaying a login prompt that sends credentials of victim back to the attacker.


Vendor description

“From the start, the Fortinet vision has been to deliver broad, truly integrated, high-performance security across the IT infrastructure. We provide top-rated network and content security, as well as secure access products that share intelligence and work together to form a cooperative fabric. Our unique security fabric combines Security Processors, an intuitive operating system, and applied threat intelligence to give you proven security, exceptional performance, and better visibility and control–while providing easier administration.”

Source: https://www.fortinet.com/corporate/about-us/about-us.html

Vulnerability overview/description

The FortiGate SSL VPN Portal is prone to a reflected cross-site scripting (XSS) vulnerability. The HTTP GET parameter “redir” is vulnerable. An attacker can exploit this vulnerability by tricking a victim to visit a URL. The attacker is able to hijack the session of the attacked user, and use this vulnerability in the course of spear-phishing attacks, e.g. by displaying a login prompt that sends credentials of victim back to the attacker.

Note: This vulnerability is also an open redirect and is very similar to a vulnerability that was fixed in FortiOS in March 2016 (FG-IR-16-004).
https://www.fortiguard.com/psirt/fortios-open-redirect-vulnerability

Proof of concept

The following request exploits the issue:
https://vpn..com/remote/loginredir?redir=javascript:alert(%22XSS%20%22%2Bdocument.location)

The server responds with a page that looks as follows:

<html><head>
<script language="javascript">
document.location=decodeURIComponent("javascript%3Aalert%28%22XSS%20%22%2Bdocument.location%29");
</script>
</head></html>

Vulnerable / tested versions

  • FortiOS 5.6.0 -> 5.6.2
  • FortiOS 5.4.0 -> 5.4.6
  • FortiOS 5.2.0 -> 5.2.12
  • FortiOS 5.0 and below

More information can be found at: https://fortiguard.com/psirt/FG-IR-17-242

Vendor contact timeline

2017-10-02: Contacting vendor through psirt@fortinet.com
2017-10-03: Vendor confirms vulnerability, assigns CVE-2017-14186. Expected fix in version 5.6.3
2017-11-23: Vendor provides update
2017-11-29: Coordinated public release of advisory

Solution

FortiOS 5.6 branch: Upgrade to upcoming 5.6.3 (ETA: November 27th)
FortiOS 5.4 branch: Upgrade to 5.4.6 special build (*) or upcoming 5.4.7 (ETA Dec 7th)
FortiOS 5.2 branch: Upgrade to 5.2.12 special build (*) or upcoming 5.2.13 (ETA: Dec 14th)

More information can be found at:
https://fortiguard.com/psirt/FG-IR-17-242

Workaround

Not available.

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

EOF Stefan Viehböck / @2017

Project Details

  • TitleFortiGate SSL VPN Portal XSS Vulnerability
  • ProductFortinet FortiOS
  • Vulnerable versionsee: Vulnerable / tested versions
  • Fixed versionsee: Solution
  • CVE numberCVE-2017-14186
  • ImpactMedium
  • Homepagehttps://www.fortinet.com
  • Found2017-10-02
  • ByStefan Viehböck (Office Vienna) | SEC Consult Vulnerability Lab

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!

Help

Help

To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all tracking cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Privacy Statement. Legal Notice

Back