Multiple vulnerabilities in FortiProxy SSL-VPN



Risk Medium
Patch available YES
Number of vulnerabilities 4
CVE-ID CVE-2021-22128
CVE-2020-6648
CVE-2019-17655
CVE-2018-13380
CWE-ID CWE-284
CWE-312
CWE-79
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		FortiProxy
Hardware solutions / Routers & switches, VoIP, GSM, etc

Vendor Fortinet, Inc

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) Improper access control

EUVDB-ID: #VU51224

Risk: Medium

CVSSv3.1: 5.6 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-22128

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted resources.

The vulnerability exists due to improper access restrictions within the Quick connection functionality implementation. A remote authenticated user can bypass implemented security restrictions and access internal service such as the ZebOS Shell on the FortiProxy appliance through the Quick Connection functionality

Mitigation


Vulnerable software versions

FortiProxy: 1.0.0 - 2.0.0

CPE2.3 External links

http://www.fortiguard.com/psirt/FG-IR-20-235


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Cleartext storage of sensitive information

EUVDB-ID: #VU51226

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-6648

CWE-ID: CWE-312 - Cleartext Storage of Sensitive Information

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to FortiOS displays usernames and passwords in clear text in "diag sys ha checksum show" command output. A local user with ability to connect to FortiGate CLI and execute the command can obtain credentials of other users.

Mitigation

Install update from vendor's website.

Vulnerable software versions

FortiProxy: 1.0.0 - 2.0.0

CPE2.3 External links

http://www.fortiguard.com/psirt/FG-IR-20-236


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Cleartext storage of sensitive information

EUVDB-ID: #VU30254

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-17655

CWE-ID: CWE-312 - Cleartext Storage of Sensitive Information

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

A cleartext storage in a file or on disk (CWE-313) vulnerability in FortiOS SSL VPN 6.2.0 to 6.2.2, 6.0.9 and below may allow an attacker to retrieve a logged-in SSL VPN user's credentials should that attacker be able to read the session file stored on the targeted device's system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

FortiProxy: 1.0.0 - 2.0.0

CPE2.3 External links

http://www.fortiguard.com/psirt/FG-IR-20-224


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Cross-site scripting

EUVDB-ID: #VU18608

Risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-13380

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within the SSL VPN web portal. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

FortiProxy: 1.0.0 - 2.0.0

CPE2.3 External links

http://www.fortiguard.com/psirt/FG-IR-20-230


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###