An authentication bypass exploiting an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy, and FortiSwitchManager may allow an unauthenticated attacker to perform operations on the administrative interface using specially crafted HTTP or HTTPS requests.  If this vulnerability is exploited, outsiders could get complete administrative rights.

This vulnerability has a severity level that is critical and affected products should be checked immediately.

Our Journey With WAGS

Exploitation Status

Fortinet is aware of an incident in which this vulnerability was exploited and advises that you validate your systems immediately against the following indicator of compromise in the device’s logs:

user=”Local_Process_Access”

Our Journey With WAGS

Affected Products

FortiOS version 7.2.0 through 7.2.1
FortiOS version 7.0.0 through 7.0.6
FortiProxy version 7.2.0
FortiProxy version 7.0.0 through 7.0.6
FortiSwitchManager version 7.2.0
FortiSwitchManager version 7.0.0

Our Journey With WAGS

Workaround

FortiOS:

Disable HTTP/HTTPS administrative interface

OR

Limit IP addresses that can reach the administrative interface:

config firewall address

edit “my_allowed_addresses”

set subnet

end

Then create an Address Group:

config firewall addrgrp

edit “MGMT_IPs”

set member “my_allowed_addresses”

end

Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):

config firewall local-in-policy

edit 1

set intf port1

set srcaddr “MGMT_IPs”

set dstaddr “all”

set action accept

set service HTTPS HTTP

set schedule “always”

set status enable

next

edit 2

set intf “any”

set srcaddr “all”

set dstaddr “all”

set action deny

set service HTTPS HTTP

set schedule “always”

set status enable

end

If using non default ports, create appropriate service object for GUI administrative access:

config firewall service custom

edit GUI_HTTPS

set tcp-portrange

next

edit GUI_HTTP

set tcp-portrange

end

Use these objects instead of “HTTPS HTTP “in the local-in policy 1 and 2 below.

Please contact customer support for assistance.

FortiProxy:

Disable HTTP/HTTPS administrative interface

OR

Limit IP addresses that can reach the administrative interface (here: port1):

config system interface

edit port1

set dedicated-to management

set trust-ip-1

end

Please contact customer support for assistance.

FortiSwitchManager:

Disable HTTP/HTTPS administrative interface

Please contact customer support for assistance.

In order to protect your business, employees, and IT infrastructure you must take a proactive approach. Through the use of Layered Security Strategy, our experts can ensure that your assets are properly protected and secure. Reach out to us if you’d like to learn more by using the information below!

If you have any additional questions or concerns, please call 502-240-0404 or send us an email at info@mirazon.com