The ROBOT Attack - Return of Bleichenbacher's Oracle Threat

A plaintext recovery of encrypted messages or a Man-in-the-middle MiTM attack on RSA PKCS 1 v1.5 encryption may be possible without knowledge of the server's private key...

FortiManager allows unauthorized viewing of vdoms settings by any adom standard users

A standard user with adom assignment can read the interface settings of vdoms unrelated to his/her adom...

Bleichenbacher and Dictionary Attacks on IPsec IKE

Two new attacks on IPsec IKE Internet Key Exchange were recently disclosed 1, involving multiple ways to perform attacks against IKE signature based and PSK Pre-Shared Key authentications. The end goal is to crack IPsec VPN encrypted communications. The relevant CVEs are: CVE-2018-5389: Practical...

Forgot password link doesn't expire after use

FortiCloud password reset link requested by the user takes one hour to expire even after password was changed successfully, thus allowing attackers to take over user's account if they somehow gain access to the reset link for the user's password...

Multiple Cross Site Scripting on FortiCloud Web Interface Login

Before August, 2018, parameters at /loginmgrlogin in forticloud.com were vulnerable to a Cross-Site-Scripting XSS attack...

FortiWeb Recursive URL Decoding is not enabled by default

FortiWeb's "Recursive URL Decoding" feature can detect URL-based attacks among which XSS and SQL injection attempts even when the malicious URL is recursively encoded. However, this feature is not enabled by default in FortiWeb's system settings for FortiWeb version 6.0.0 and below...

Application control block page leaks private IP and hostname

The default replacement message in FortiOS' Application control block page reveals the private IP as well as the hostname of the FortiGate...

OpenSSL Security Advisory [26 Jan 2017]

The OpenSSL project released an advisory on Jan 26th, 2017, describing 3 Moderate, 1 Low severity vulnerabilities, as listed below:Â...

Stored XSS under CA and CRL certificate view page

Javascript code and HTML tags can be injected into the CN value of CA and CRL certificates via the import CA and CRL certificates feature of the GUI. The injected code may be executed when the GUI administrator views the CA certificate details and browses CRL certificates when CN values are...

OpenRedirect in Malicious Generated PDF Document on FortiAnalyzer and FortiManager

An open redirect vulnerability exists in FortiAnalyzer and FortiManager when a user of the GUI is converting an HTML table to a PDF document via the FortiView feature, due to lack of user input sanitization...

FortiManager XSS vulnerability when view config under Revision History

A potential Cross-site Scripting XSS vulnerability exists in FortiManager: Displayed data is not sanitized when an administrator views the managed devices configuration, in the installation revision history of the GUI...

FortiOS SSL VPN webportal user credentials present in plain text in client side javascript file

An information disclosure vulnerability exists in the SSL-VPN web portal of FortiOS: when pages bookmarked in the web portal use the Single sign-on SSO feature, the user's webportal's login and password are included in a javascript file sent client-side. The leaked credential may potentially be...

FortiAnalyzer and FortiManager admin user avatar setting improper access control

An improper access control vulnerability exists in FortiAnalyzer and FortiManager, whereby a regular user of the GUI can edit the avatar picture of other users including with higher privileges with arbitrary content...

ISC BIND vulnerabilities

Multiple Denial of Service DoS or process crash vulnerabilities CVE-2018-5737, CVE-2018-5736 are affecting ISC BIND...

Potential XSS in "CSRF validation failure" page due to lack of referer sanitization

On FortiAuthenticator, a HTML page is returned to the user when the CSRF validation fails on referer mismatch. This page displays the faulty referer without sanitizing it. Therefore, in an attack scenario where the referer could be manipulated, the attacker could inject malicious scripts in the...

Firewall information leak to regular SSL VPN web portal users

A SSL VPN user logged in via the web portal can access internal FortiOS configuration information eg: addresses via specifically crafted URLs...

FortiOS local privilege escalation via malicious use of USB storage devices

An admin user with superadmin privileges can execute an arbitrary binary contained on an USB drive plugged to a FortiGate, via linking the aforementioned binary to a command that is allowed to be run by the fnsysctl CLI command...

FortiOS SSL Deep-Inspection Proxy Mode badssl.com Compliance

US-Cert published a document at which outlines some security flaws that may be introduced by the use of SSL Deep-Inspection.Â...

Use of hardcoded credentials for communication between Meru access points and FortiWLC

FortiWLC included two hardcoded accounts which were used by Meru Access Points to report core dumps; these accounts had read/write privileges over various parts of the system. Starting with FortiWLC 7.0.13 and FortiWLC 8.4.0, the accounts are now completely removed and do not persist over firmwar...

FortiClient insecure VPN credential storage and encryption

In certain conditions, FortiClient users' VPN credentials are stored in improperly secured locations and unsafely encrypted...

AMD processors affected by vulnerabilities: Ryzenfall, Fallout, Chimera and Masterkey

A collection of AMD vulnerabilities known as "Ryzenfall, Fallout, Chimera, Masterkey" has been released. Attackers in possession of these vulnerabilities would receive additional capabilities, like persistence by malware injection, stealth, network credential theft and more. It affects AMD...

BranchScope: New CPU Side-Channel Attack

A new side-channel attack that takes advantage of the speculative execution feature of modern processors to recover data from targeted users' CPUs has been disclosed It targets the "branch prediction" operations —which is the same part of a CPU speculative execution process as the one targeted ...

FortiWeb's cookie tampering protection can be bypassed by erasing the FortiWeb session cookie

An improper access control vulnerability in FortiWeb's Signed Security mode may allow an attacker to disable the cookie tampering protection offered by FortiWeb to sites FortiWeb protects, via deleting FortiWeb's session cookie...

HTTP Host header attacks against web proxy disclaimer response webpage

The FortiOS web proxy disclaimer page is potentially vulnerable to an XSS attack, via maliciously crafted "Host" headers in user HTTP requests. The latter is possible if an attacker is in a Man-in-the-middle position i.e. able to modify the HTTP requests of the potential victim before they reach...

Intel-SA-00086 Security Review Cumulative Update

Intel recently released a security update Intel-SA-00086, regarding Intel ME 11.x, SPS 4.0, and TXE 3.0 intel products...

Gain Windows privileges with FortiClient vpn before logon and untrusted certificate

When the "VPN before logon" feature of FortiClient Windows is enabled disabled by default, and when the server certificate is not valid, it is possible for an attacker without a user account on the targeted Windows workstation to obtain SYSTEM level privileges, via exploiting the Windows "securi...

FortiCloud XSS vulnerability in on-demand sandbox GUI

Before Dec 5th, 2017, a Cross-Site-Scripting XSS vulnerability in forticloud.com on-demand sandbox GUI may have allowed an authenticated user to inject arbitrary web code or HTML in the context of the victim's browser via the upload of a maliciously crafted file...

SSL VPN Web Portal user credentials may be leaked to super_admins

An admin user with superadmin privileges i.e. with a superadmin profile may view the current sslvpn web portal session info, using the fnsysctl CLI command. This info includes user credentials...

FortiWebManager 5.8.0 improperly handles admin login access

FortiWebManager 5.8.0 fails to check the admin password, granting access regardless the provided string...

FortiWeb Stored XSS vulnerability on webUI certificate view page

There exists a persistent Cross-site Scripting XSS vulnerability on FortiWeb's webUI Certificate View page, which can be triggered via malicious certificate import...

FortiOS Reflected XSS in Web Proxy Disclaimer Response web page

A reflected XSS vulnerability exists in FortiOS web proxy disclaimer response web pages, potentially exploitable by an unauthenticated attacker, via sending a maliciously crafted URL to the victim. The victim visiting the malicious URL would then have arbitrary javascript code executed in the...

ROCA: Vulnerable RSA key pairs generation (CVE-2017-15361)

An old Infineon RSA library does not properly generate RSA key pairs, therefore enabling an attacker to potentially infer a private key from a public key...

BlueBorne vulnerabilities and security flaws in Bluetooth stacks

A collection of Bluetooth implementation vulnerabilities known as "BlueBorne" has been released. These vulnerabilities collectively affect Windows, iOS, and Linux-kernel-based operating systems including Android and Tizen, and may in the worst case allow an unauthenticated attacker to perform...

FortiOS SSL Deep-Inspection possible Insecure Renegotiation

FortiOS SSL Deep-Inspection may enable insecure renegotiation between TLS clients and servers that support secure renegotiation, opening the door to potential Man-in-the-Middle attacks CVE-2009-3555 against the TLS connection, where an attacker could inject arbitrary data in the connection withou...

FortiClient privilege escalation vulnerability

A low privileged user may be able to execute arbitrary code by exploiting a FortiClientNamedPipe vulnerability...

Apache Tomcat vulnerabilities

Multiple Remote Code Execution RCE vulnerabilities CVE-2017-12615, CVE-2017-12617 are affecting Apache Tomcat...

FortiOS web GUI logindisclaimer redir parameter XSS vulnerability

A reflected XSS vulnerability exists in FortiOS web GUI "Login Disclaimer" redir parameter. It is potentially exploitable by a remote unauthenticated attacker, via sending a maliciously crafted URL to a victim who has an open session on the web GUI. Visiting that malicious URL may cause the...

FortiOS DoS on webUI through 'params' JSON parameter

An authenticated user may pass a specially crafted payload to the 'params' parameter of the JSON web API URLs with /json , which can cause the web user interface to be temporarily unresponsive...

Key Reinstallation Attacks: Cryptographic/protocol attack against WPA2

Several vulnerabilities affect the Wi-Fi Protected Access II WPA2 protocol, potentially enabling Man-in-the-Middle MitM attacks between Wifi Clients and Access Points running WPA2 . The impact includes decryption, packet replay, TCP connection hijacking and HTTP content injection...

FortiWLC file management OS Command Injection vulnerability

The FortiWLC file management AP script download webUI page is affected by an OS Command Injection vulnerability which may allow an authenticated admin user to execute arbitrary system console commands, and possibly subsequently "root" the device...

FortiMail reflected XSS vulnerability under customized webmail login page

There exists a reflected cross-site scripting XSS vulnerability on FortiMail customized pre-authentication webmail login page, allowing successful attackers to run arbitrary javascript code in the security context of their victim's browser...

FortiWLC XSS injection via crafted HTTP POST request

The FortiWLC admin webUI is affected by XSS vulnerabilities, potentially exploitable by an authenticated user, via non-sanitized parameters "refresh" and "branchtotable" present in HTTP POST requests. A successful attack would involve getting a targeted victim with an open session on the WebUI t...

Apache Struts RCE Vulnerability

Multiple Remote Code Execution vulnerabilities CVE-2017-9805, CVE-2017-9804, CVE-2017-9793 are affecting Apache Struts...

FortiWeb SNMPv3 user password viewable in HTML source code

The HTML source code of the FortiWeb SNMPv3 user edit webui page includes the user's password in cleartext...

FortiOS IKE VendorID version information disclosure

The FortiOS IKE packets which include the Vendor ID embed the FortiOS build version number...

FortiOS XSS vulnerabilities via FortiView Application filter, FortiToken activation & SSL VPN Replacement Messages

Three XSS vulnerabilities...

LibGD security advisory [18 January 2017]

The LibGD project released advisories on January 18th, 2017, July 22nd, 2016 and June 25th, 2016 describing 12 vulnerabilities, as listed below:...

FortiWLM upgrade user account hard-coded credentials

FortiWLM has a hard-coded password for its "upgrade" user account, which it uses to transfer files to and from the FortiWLC controller. Having the upgrade account credentials would allow an attacker to transfer files to any attached or previously attached controllers as an admin user, thus raisin...

FortiOS XSS vulnerabilities via User Groups & Config Revision Comments

Two XSS vulnerabilities were reported to us affecting FortiOS that can be exploited to load and run a remote malicious Javascript in a logged in browser...

FortiOS stored XSS vulnerability in the policy global-label parameter

FortiOS is subject to a Cross-Site Scripting vulnerability, due to an improperly sanitized parameter in a hidden CLI configuration setting named 'global-label' . This can however only be exploited by an administrator with write privileges...