Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2017-2024 and is owned by Tenable, Inc. or an Affiliate thereof.FORTIOS_FG-IR-17-242.NASL
HistoryNov 30, 2017 - 12:00 a.m.

Fortinet FortiOS <= 5.4 / 5.6.x < 5.6.8 / 6.0.x < 6.0.5 SSL VPN Web Portal login redir XSS (FG-IR-17-242)

2017-11-3000:00:00
This script is Copyright (C) 2017-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
87

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.029 Low

EPSS

Percentile

90.9%

JSON

The version of Fortinet FortiOS running on the remote host is prior or equal to 5.4, 5.6.x prior to 5.6.8, or 6.0.x prior to 6.0.5. It is, therefore, affected by a cross-site scripting (XSS) vulnerability in the SSL VPN web portal due to a failure to sanitize the login redir parameter. An unauthenticated, remote attacker can exploit this, by convincing a user to click on a specially crafted URL, to execute arbitrary script code in a user’s browser session or to redirect the user to a malicious website.

#TRUSTED 50846dcd5f61fef25e14debe33cf74f0bebac65207053b422ec0d6dc7a0f782c481b857f3cd38dd49548054f37d0a99d9408d423dd2e3fb524f973ca222b14e7d639def720fe5a65b2058ab8dca64dc9ba2f7a5e95e9fe96884ed13a5337e7ec9b156c45c38cca3a01b0efb4134b068b85ca80f4730552859e818e8c2b93512573c42e4457e6da74e9e2ea88470024da29dc5b786684adef0beb3eefdc523e51d5577c628cd47dbc2f290f336b5f33943077dadb9bf97ad5056f1c023b437a78b0296dca4df16eeebd6f84ccf139d049f3cb8921a1653251d7ce8fd1c7ea527e84b312f74c23bcb07c52a4b720ebee91b40898a7f43fe79c9d91c8f827661e316dc079b8f2b0996f58420f3c3a145ed274c0cf8cbe4f9dca00e078de1b04f589fa0fbef5325c0123f213069546536b6162361ac30b02dbcb9a0c44ad7e9671ec2916fb953c07611334605290727e89a34aedd389b7528f7c689bb6ee412fb29c0759f4e86def482f66c4a0342946844bbcf3844a55e08f272d76ae55d386f9e266ea2a51f5b4f2a4da4e22f70232589539d1c7cc01e0cecf1066ee7104bc203e134931793d3b4afda0bfe0605f00b1703c2d2617fa6ebd5f6de7c0cc3ac785df6edc342ab7996dab6505bd76af8aa56e48b7ab0b1971bf0234f4021880fc040c3439d4b6f2cf97f8ad550b7595451bce7d5f325674376265cdf0971c64a2e847
#TRUST-RSA-SHA256 630251a417809f456f5ff1a9b97220d19d61169bc6a0ba2e382eecd4d38ea614b6ff7940e863936c63f9ee1d942b914d6786aec2412e0bd27c362b4f2c3dd97964e2caed8cf63ce00e7249be4a9c6d6d598c699d2088f027683411564f1a19f9912c089e8ccc7e122f05145a08e5c0e74ad2a2776e0ce229077d1239dd53d9ca3b26b0f5e93c968190ee66e76a58d5cc4766957ada2f496a8e084990723fde90ee58f4a38be94067f955d60a6e1bbd1f4379e6f0d935f1b849db2e408cc7ff84425b463b02bb040d0074698ec8ad029bdc377d785e90576986e3864cdafb610a3e107459d56da4c3dd31664df4b87e3d3b1993ca0321b6ec194e955cc1085bbd50a8e159f1c0a0a6a20ceb70f80c30c6fbb5bc66b722581b12eb17a2054634b2d0caf99f087d29af332227501b324129eff00d36c72d32a9c32264fa2ea90a940b5039e516103d5be05c72cbe6c2d23d3d1ece1665e7a487622b0052a155a584f8a7e762ffb86d53b5d2083c8e15020e416fc17b9d17a12b6cf292b132cd0e40a045d8d2081f734414d5a65fd34fdf2fda1ec25129728262129061352d075a70031ba1d4515bc5f4babc4c6f7f8608fa3893e6f06582562c2896cc1ea41b1c4a064ac0a0e32c4fb10617c56723e35281a4eb191237ada6b506746680c9bc865464e7eb9a31e71b7f882797fd92c41216f67b3dda1c6dfeb0880c662b317200b9
##
# (C) Tenable Network Security, Inc.
##

include("compat.inc");

if (description)
{
  script_id(104886);
  script_version("1.12");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/30");

  script_cve_id("CVE-2017-14186");
  script_bugtraq_id(101955);

  script_name(english:"Fortinet FortiOS <= 5.4 / 5.6.x < 5.6.8 / 6.0.x < 6.0.5 SSL VPN Web Portal login redir XSS (FG-IR-17-242)");
  script_summary(english:"Checks the version of FortiOS.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by a cross-site scripting vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Fortinet FortiOS running on the remote host is prior or equal to 5.4, 5.6.x prior to 5.6.8, or 6.0.x
prior to 6.0.5. It is, therefore, affected by a cross-site scripting (XSS) vulnerability in the SSL VPN web portal due
to a failure to sanitize the login redir parameter. An unauthenticated, remote attacker can exploit this, by convincing
a user to click on a specially crafted URL, to execute arbitrary script code in a user's browser session or to redirect 
the user to a malicious website.");
  script_set_attribute(attribute:"see_also", value:"https://www.fortiguard.com/psirt/FG-IR-17-242");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Fortinet FortiOS version 5.6.8 / 6.0.5 / 6.2.0 or later. Alternatively, apply one of the workarounds
outlined in the linked advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-14186");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/11/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/11/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/30");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fortinet:fortios");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Firewalls");

  script_copyright(english:"This script is Copyright (C) 2017-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("fortinet_version.nbin");
  script_require_keys("Host/Fortigate/model", "Host/Fortigate/version");

  exit(0);
}

include('vcf_extras_fortios.inc');

var app_info = vcf::get_app_info(app:'FortiOS', kb_ver:'Host/Fortigate/version');

vcf::fortios::verify_product_and_model(product_name:'FortiGate');

var constraints = [
  { 'max_version' : '5.4', 'fixed_display' : '5.6.8 / 6.0.5 / 6.2.0 or later' },
  { 'min_version' : '5.6.0', 'fixed_version' : '5.6.8' },
  { 'min_version' : '6.0.0', 'fixed_version' : '6.0.5' }
];

# Only hosts that have SSL-VPN web portal enabled are impacted. Disabling SSL-VPN entirely or disabling the web portal are valid workarounds
# diagnose sys top <Delay_in_seconds> <Maximum_lines_to_display> <Iterations_to_run>
# We want to make sure we see all processes and only display it once
# If sslvpnd is not running, host is not currently vulnerable
var workarounds = [
  {config_command:'diagnose sys top 1 200 1', config_value:'sslvpnd', misc_cmd:TRUE}
];

# source-interface only exists in the configuration above 5.2 and above
if (ver_compare(ver:app_info.version, fix:'5.2.0', strict:FALSE) >= 0)
  append_element(var:workarounds, value:{config_command:'full-configuration vpn ssl settings', config_value:'set source-interface'});
else
  append_element(var:workarounds, value:{config_command:'full-configuration vpn ssl settings', config_value:'set sslvpn-enable enable'});

vcf::fortios::check_version_and_report(
  app_info:app_info,
  constraints:constraints,
  workarounds:workarounds,
  not_equal:TRUE,
  show_check:'config vpn ssl settings',
  severity:SECURITY_WARNING,
  flags:{xss:true}
);
VendorProductVersionCPE
fortinetfortioscpe:/o:fortinet:fortios

Related

cve 1
packetstorm 1
checkpoint_advisories 1
cvelist 1
fortinet 1
prion 1
zdt 1
nessus 1
nvd 1
nuclei 1
cve
cve
CVE-2017-14186
2017-11-29 19:29:00
packetstorm
packetstorm
FortiGate SSL VPN Portal 5.x Cross Site Scripting
2017-12-04 00:00:00
checkpoint_advisories
checkpoint_advisories
Fortinet FortiOS Cross-Site Scripting (CVE-2017-14186)
2020-09-16 00:00:00
cvelist
cvelist
CVE-2017-14186
2017-11-23 00:00:00
fortinet
fortinet
Protect
2019-05-24 00:00:00
prion
prion
Cross site scripting
2017-11-29 19:29:00
zdt
zdt
FortiGate SSL VPN Portal 5.x Cross Site Scripting Vulnerability
2017-12-04 00:00:00
nessus
nessus
Fortinet FortiOS (Mac OS X) <= 5.4 / 5.6.x < 5.6.8 / 6.0.x < 6.0.5 SSL VPN Web Portal login redir XSS (FG-IR-17-242) (deprecated)
2019-06-14 00:00:00
nvd
nvd
CVE-2017-14186
2017-11-29 19:29:00
nuclei
nuclei
FortiGate FortiOS SSL VPN Web Portal - Cross-Site Scripting
2022-09-21 13:42:02

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.029 Low

EPSS

Percentile

90.9%

JSON
Related for FORTIOS_FG-IR-17-242.NASL
cve1packetstorm1checkpoint_advisories1cvelist1fortinet1prion1zdt1nessus1nvd1nuclei1