An authentication bypass exploiting an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy, and FortiSwitchManager may allow an unauthenticated attacker to perform operations on the administrative interface using specially crafted HTTP or HTTPS requests.  If this vulnerability is exploited, outsiders could get complete administrative rights.

This vulnerability has a severity level that is critical and affected products should be checked immediately.

Exploitation Status

Fortinet is aware of an incident in which this vulnerability was exploited and advises that you validate your systems immediately against the following indicator of compromise in the device’s logs:

user=”Local_Process_Access”

Affected Products

FortiOS version 7.2.0 through 7.2.1
FortiOS version 7.0.0 through 7.0.6
FortiProxy version 7.2.0
FortiProxy version 7.0.0 through 7.0.6
FortiSwitchManager version 7.2.0
FortiSwitchManager version 7.0.0

Workaround

FortiOS:

Disable HTTP/HTTPS administrative interface

OR

Limit IP addresses that can reach the administrative interface:

config firewall address

edit “my_allowed_addresses”

set subnet <MY IP> <MY SUBNET>

end

Then create an Address Group:

config firewall addrgrp

edit “MGMT_IPs”

set member “my_allowed_addresses”

end

Create the Local in Policy to restrict access only to the predefined group on management interface (here: port1):

config firewall local-in-policy

edit 1

set intf port1

set srcaddr “MGMT_IPs”

set dstaddr “all”

set action accept

set service HTTPS HTTP

set schedule “always”

set status enable

next

edit 2

set intf “any”

set srcaddr “all”

set dstaddr “all”

set action deny

set service HTTPS HTTP

set schedule “always”

set status enable

end

If using non default ports, create appropriate service object for GUI administrative access:

config firewall service custom

edit GUI_HTTPS

set tcp-portrange <admin-sport>

next

edit GUI_HTTP

set tcp-portrange <admin-port>

end

Use these objects instead of “HTTPS HTTP “in the local-in policy 1 and 2 below.

Please contact customer support for assistance.

FortiProxy:

Disable HTTP/HTTPS administrative interface

OR

Limit IP addresses that can reach the administrative interface (here: port1):

config system interface

edit port1

set dedicated-to management

set trust-ip-1 <MY IP> <MY SUBNET>

end

Please contact customer support for assistance.

FortiSwitchManager:

Disable HTTP/HTTPS administrative interface

Please contact customer support for assistance.

If you have any additional questions or concerns, please call 502-240-0404 or send us an email at info@mirazon.com