Introduction

Some months ago, I reported to the Fortinet PSIRT team two vulnerabilities which affect different Fortigate firmware versions. 

You probably know that "Fortinet is a leading provider of fast and secure cyber security solutions offers enterprise-level next generation firewalls and vast array of network security products."

As usual, I'm disclosing these vulnerabilities under responsible disclosure format which is (in my opinion) one of the best ways (in most cases) to publish technical details about a vulnerability.

You can find the Fortinet public advisory here.

I´d like to thank the spanish Fortinet team for helping me with the case by speeding it up.

Vulnerability Details

Affected version

  • 5.0 branch: 5.0.12 or below
  • 5.2 branch: 5.2.2 or below

*** 4.3 and lower branches are not affected

 Open Redirect

The Open Redirect is located in the Fortinet Fortigate web administration console.

Proof of concept:

  • https://fortigate-management-ip-address/login?redir=http://evil-site

The parameter "redir" doesn't have implemented any kind of validation so I´m able to redirect the browser to any malicious web site from the Fortigate web login portal.

Case study example:

  1. An attacker sends a phishing email to the firewall administrator with the link bellow https://fortigate-management-ip-address/login?redir=http://evil-site (Previously the attacker should figure out the firewall management IP address).
  2. If the administrator clicks on the link, the real portal login will appear. The administrator is supposed to type the admin credentials.
  3. When the user/pwd are typed, the browser is redirected to the attacker evil-site where there is a fake Fortigate login portal. Credentials are asked for again due to an alleged erroneous user/password.
  4. The administrator retype the credencials, the evil-site receives the user/pwd and redirects the browser to the real firewall login portal.
  5. The administrator would type the credentials again and would get access to the real firewall. Meanwhile, the attacker has stolen the user/password.

Cross Site Scripting

The Cross Site Scripting vulnerability is located in the Fortinet Fortigate web administration console.

Proof of concept:

  • https://fortigate-management-ip-address/login?redir=javascript:alert(document.cookie)


The parameter "redir" doesn't have implemented any kind of validation so we are able to execute javascript code in the victim browser.

Solutions

Upgrade to one of the following FortiOS versions:

  • 5.0 branch: 5.0.13 or above
  • 5.2 branch: 5.2.3 or above
  • 5.4 branch: 5.4.0 or above

Conclusion

Every single device or appliance placed in your network, even the ones that are part of the security of your infrastructure, would be affected by some vulnerability. We have seen how other well known vendors like Juniper, FireEye, Cisco, etc... were affected by similar vulnerabilities as well. This should be always kept in mind.

The vulnerabilities mentioned above are hard to exploit because the firewall administrator is supposed not to click on a link that forwards to their own firewall... But who knows... ;)

References