lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 2 Dec 2017 11:09:14 +0100
From: SEC Consult Vulnerability Lab <research@...-consult.com>
To: <fulldisclosure@...lists.org>
Subject: [FD] SEC Consult SA-20171129-0 :: FortiGate SSL VPN Portal XSS
 Vulnerability

SEC Consult Vulnerability Lab Security Advisory < 20171129-0 >
=======================================================================
              title: FortiGate SSL VPN Portal XSS Vulnerability
            product: Fortinet FortiOS
 vulnerable version: see: Vulnerable / tested versions
      fixed version: see: Solution
         CVE number: CVE-2017-14186
             impact: Medium
           homepage: https://www.fortinet.com
              found: 2017-10-02
                 by: Stefan Viehböck (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Montreal - Moscow
                     Singapore - Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"From the start, the Fortinet vision has been to deliver broad, truly
integrated, high-performance security across the IT infrastructure.

We provide top-rated network and content security, as well as secure access
products that share intelligence and work together to form a cooperative
fabric. Our unique security fabric combines Security Processors, an intuitive
operating system, and applied threat intelligence to give you proven security,
exceptional performance, and better visibility and control--while providing
easier administration."

Source: https://www.fortinet.com/corporate/about-us/about-us.html


Vulnerability overview/description:
-----------------------------------
The FortiGate SSL VPN Portal is prone to a reflected cross-site scripting (XSS)
vulnerability. The HTTP GET parameter "redir" is vulnerable.
An attacker can exploit this vulnerability by tricking a victim to visit a URL.
The attacker is able to hijack the session of the attacked user, and use this
vulnerability in the course of spear-phishing attacks, e.g. by displaying a
login prompt that sends credentials of victim back to the attacker.

Note: This vulnerability is also an open redirect and is very similar to a
vulnerability that was fixed in FortiOS in March 2016 (FG-IR-16-004).
https://www.fortiguard.com/psirt/fortios-open-redirect-vulnerability


Proof of concept:
-----------------
The following request exploits the issue:
https://vpn.<SERVER>.com/remote/loginredir?redir=javascript:alert(%22XSS%20%22%2Bdocument.location)


The server responds with a page that looks as follows:
---------------------------------------------------------------------------------------------------
<html><head>
<script language="javascript">
document.location=decodeURIComponent("javascript%3Aalert%28%22XSS%20%22%2Bdocument.location%29");
</script>
</head></html>
---------------------------------------------------------------------------------------------------


Vulnerable / tested versions:
-----------------------------
FortiOS 5.6.0 -> 5.6.2
FortiOS 5.4.0 -> 5.4.6
FortiOS 5.2.0 -> 5.2.12
FortiOS 5.0 and below

More information can be found at:
https://fortiguard.com/psirt/FG-IR-17-242


Vendor contact timeline:
------------------------
2017-10-02: Contacting vendor through psirt@...tinet.com
2017-10-03: Vendor confirms vulnerability, assigns CVE-2017-14186. Expected fix in
            version 5.6.3
2017-11-23: Vendor provides update
2017-11-29: Coordinated public release of advisory


Solution:
---------
FortiOS 5.6 branch: Upgrade to upcoming 5.6.3 (ETA: November 27th)
FortiOS 5.4 branch: Upgrade to 5.4.6 special build (*) or upcoming 5.4.7 (ETA Dec
7th)
FortiOS 5.2 branch: Upgrade to 5.2.12 special build (*) or upcoming 5.2.13 (ETA:
Dec 14th)

More information can be found at:
https://fortiguard.com/psirt/FG-IR-17-242


Workaround:
-----------
Not available.


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Stefan Viehböck / @2017



Download attachment "smime.p7s" of type "application/pkcs7-signature" (3995 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ