FortiGate SSL VPN Portal 5.x Cross Site Scripting

`SEC Consult Vulnerability Lab Security Advisory < 20171129-0 >  
=======================================================================  
title: FortiGate SSL VPN Portal XSS Vulnerability  
product: Fortinet FortiOS  
vulnerable version: see: Vulnerable / tested versions  
fixed version: see: Solution  
CVE number: CVE-2017-14186  
impact: Medium  
homepage: https://www.fortinet.com  
found: 2017-10-02  
by: Stefan Viehböck (Office Vienna)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult  
Bangkok - Berlin - Linz - Montreal - Moscow  
Singapore - Vienna (HQ) - Vilnius - Zurich  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"From the start, the Fortinet vision has been to deliver broad, truly  
integrated, high-performance security across the IT infrastructure.  
  
We provide top-rated network and content security, as well as secure access  
products that share intelligence and work together to form a cooperative  
fabric. Our unique security fabric combines Security Processors, an intuitive  
operating system, and applied threat intelligence to give you proven security,  
exceptional performance, and better visibility and control--while providing  
easier administration."  
  
Source: https://www.fortinet.com/corporate/about-us/about-us.html  
  
  
Vulnerability overview/description:  
-----------------------------------  
The FortiGate SSL VPN Portal is prone to a reflected cross-site scripting (XSS)  
vulnerability. The HTTP GET parameter "redir" is vulnerable.  
An attacker can exploit this vulnerability by tricking a victim to visit a URL.  
The attacker is able to hijack the session of the attacked user, and use this  
vulnerability in the course of spear-phishing attacks, e.g. by displaying a  
login prompt that sends credentials of victim back to the attacker.  
  
Note: This vulnerability is also an open redirect and is very similar to a  
vulnerability that was fixed in FortiOS in March 2016 (FG-IR-16-004).  
https://www.fortiguard.com/psirt/fortios-open-redirect-vulnerability  
  
  
Proof of concept:  
-----------------  
The following request exploits the issue:  
https://vpn.<SERVER>.com/remote/loginredir?redir=javascript:alert(%22XSS%20%22%2Bdocument.location)  
  
  
The server responds with a page that looks as follows:  
---------------------------------------------------------------------------------------------------  
<html><head>  
<script language="javascript">  
document.location=decodeURIComponent("javascript%3Aalert%28%22XSS%20%22%2Bdocument.location%29");  
</script>  
</head></html>  
---------------------------------------------------------------------------------------------------  
  
  
Vulnerable / tested versions:  
-----------------------------  
FortiOS 5.6.0 -> 5.6.2  
FortiOS 5.4.0 -> 5.4.6  
FortiOS 5.2.0 -> 5.2.12  
FortiOS 5.0 and below  
  
More information can be found at:  
https://fortiguard.com/psirt/FG-IR-17-242  
  
  
Vendor contact timeline:  
------------------------  
2017-10-02: Contacting vendor through [email protected]  
2017-10-03: Vendor confirms vulnerability, assigns CVE-2017-14186. Expected fix in  
version 5.6.3  
2017-11-23: Vendor provides update  
2017-11-29: Coordinated public release of advisory  
  
  
Solution:  
---------  
FortiOS 5.6 branch: Upgrade to upcoming 5.6.3 (ETA: November 27th)  
FortiOS 5.4 branch: Upgrade to 5.4.6 special build (*) or upcoming 5.4.7 (ETA Dec  
7th)  
FortiOS 5.2 branch: Upgrade to 5.2.12 special build (*) or upcoming 5.2.13 (ETA:  
Dec 14th)  
  
More information can be found at:  
https://fortiguard.com/psirt/FG-IR-17-242  
  
  
Workaround:  
-----------  
Not available.  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Bangkok - Berlin - Linz - Montreal - Moscow  
Singapore - Vienna (HQ) - Vilnius - Zurich  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
ensures the continued knowledge gain of SEC Consult in the field of network  
and application security to stay ahead of the attacker. The SEC Consult  
Vulnerability Lab supports high-quality penetration testing and the evaluation  
of new offensive and defensive technologies for our customers. Hence our  
customers obtain the most current information about vulnerabilities and valid  
recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://www.sec-consult.com/en/career/index.html  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://www.sec-consult.com/en/contact/index.html  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF Stefan Viehböck / @2017  
  
  
`