MS-ISAC CYBERSECURITY ADVISORIES
MS-ISAC ADVISORY NUMBER:
A Vulnerability in FortiGate Firmware Could Allow Security Bypass
FortiGate firmware (FortiOS) released before Aug 2012 has a cookie parser buffer overflow vulnerability. FortiOS is the operating system used by FortiGate network security platforms. This vulnerability, when exploited by a crafted HTTP request, can result in execution control being taken over.
This vulnerability has been publicly disclosed and a tool exists to perform the exploit. There are currently no reports of this vulnerability being exploited in the wild.
- FortiGate (FortiOS):
- 4.3.8 and below
- 4.2.12 and below
- 4.1.10 and below
- 3.4.2 and below
• Large and medium government entities: High
• Small government entities:High
• Large and medium business entities: High
• Small business entities:High
Home users: N/A
FortiGate firmware (FortiOS) released before Aug 2012 has a cookie parser buffer overflow vulnerability. This vulnerability, when exploited through a maliciously crafted HTTP request, allows a malicious actor to replace the EGBL.config file with their own allowing execution control being taken over.
- Work Arounds/Mitigating Details:
- Install appropriate updates or follow mitigation/workaround steps provided by Foritgate after appropriate testing.
- Upgrade to release 5.x;
- Upgrade to release 4.3.9 or above for models not compatible with FortiOS 5.x;
- FortiSwitch: Upgrade to release 3.4.3.
- Verify no unauthorized system modifications have occurred on system before applying patch.
- Monitor intrusion detection systems for any signs of anomalous activity.
- Unless required, limit administrative access to trusted hosts for the affected products.
- The following AV and IPS signatures block the potential attacks:
ELF/Adows.A!exploit since AV DB 36.803
IPS signature: FortiGate.Cookie.Buffer.Overflow since IPS DB 8.935
Disable admin access via HTTP and HTTPS on all interfaces, and use SSH instead
On 4.3, if HTTP or HTTPS access is mandatory, one can restrict access to HTTP and HTTPS to a minimal set of authorized IP addresses, via the Local In policies
On 4.2 and 4.1, if HTTP or HTTPS access is mandatory, one can restrict access to the administration interfaces (including HTTP and HTTPS access) to a minimal set of authorized IP addresses, via the trusthost commands
Disable admin access via HTTP and HTTPS on all interfaces, and use the CLI instead. Alternatively, restrict access to the administration interfaces (including HTTP and HTTPS access) to a minimal set of authorized IP addresses, via the â€˜trusthostâ€™ commands
We recommend the following actions be taken: