-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.0292
                 FortiOS CAPWAP server two vulnerabilities
                              6 February 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           FortiOS
Publisher:         FortiGuard Labs
Operating System:  Network Appliance
Impact/Access:     Denial of Service    -- Remote/Unauthenticated      
                   Cross-site Scripting -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-1452 CVE-2015-1451 

Original Bulletin: 
   http://www.fortiguard.com/advisory/FG-IR-15-002/

- --------------------------BEGIN INCLUDED TEXT--------------------

FortiOS CAPWAP server two vulnerabilities

Info

Risk 2 Low

Date Feb 05 2015

Impact Limitation of Capwap service, authenticated XSS

CVE ID CVE-2015-1451, CVE-2015-1452

Impact

CAPWAP stands for Control And Provisioning of Wireless Access Points; it is a
standard protocol that enables an Access Controller (AC) to manage a 
collection of wireless Access Points (AC).

Fortinet FortiOS embeds a CAPWAP server, which allows FortiGates to act as an
Access Controller. This CAPWAP server is subject to two vulnerabilities, 
mitigated by various factors.

1. A DoS condition: The server only accepts to control a limited number of 
concurrent APs. Sending enough fake "ClientHello" new AP requests to the 
server will prevent the addition of new legitimate APs.

2. An XSS vulnerability: Sending a CAPWAP join message to the server, with 
javascript embedded in the AP name, results in this javascript being executed
when a user attempts to manage the access points from the FortiGate's 
administration GUI.

Mitigation factors:

CAPWAP is not enabled by default on FortiOS, hence the vulnerabilities only 
concern users who actively use it to manage a collection of Access Points.

For the latter, the mitigation factors then apply:

Regarding the DoS condition: The attacker must have network access to the 
CAPWAP server. This usually implies having access to the physical, wired 
network linking APs to the server (as the FortiGate is meant to serve as a 
gateway between the isolated APs network and other networks). Beyond this, a 
successful DoS attack would prevent addition of new APs, but would not disrupt
the CAPWAP service for APs that have already been configured.

Regarding the XSS vulnerability: The attacker must have network access to the
CAPWAP server (see DoS condition above), and authenticate as a legitimate AP 
during the DTLS handshake (CAPWAP join requests happen after the DTLS channel
is established), which requires being in possession of an X.509 Certificate 
(and its associated private key) from an actual FortiAP.

Note:

According to security-assessment.com, there would be a DTLS Man-in-the-Middle
vulnerability, between the CAPWAP server and the APs, due to the fact "The 
CAPWAP DTLS protocol was found to use a universal Fortinet_Factory certificate
and private key, the certificate authority for which is static across all 
Fortinet devices".

This is untrue: The Fortinet_Factory certificate is unique to each device, and
signed by Fortinet's root CA (Fortinet_ca). An attacker cannot therefore stage
a MitM attack using the certificate and private key published by 
security-assessment.com (except if the attack targets the FortiGate they used
for their test).

Affected Products

FortiOS 4.3.0 and later with CAPWAP enabled.

Solutions
Make sure CAPWAP is disabled if not needed:

show system interface

Must not display "capwap" in the "allowaccess" entry. If it is present, the 
interface must be re-configured without capwap. For instance:

config system interface
  edit "port1"
    set allowaccess ssh https
  end
end

If CAPWAP is needed, the following workarounds apply:

Regarding the DoS condition and the XSS vulnerability: Use a local-in policy to 
restrict access to the CAPWAP server to IP addresses of legitimate APs. For 
instance, to authorize only the 192.168.1.0/24 subnet:

config firewall address
    edit "lan_subnet"
        set subnet 192.168.1.0 255.255.255.0
    next
end
config firewall service custom
edit "capwap_udp"
    set udp-portrange 5246
next
end

config firewall local-in-policy
    edit 0
        set intf "any"
        set srcaddr "lan_subnet"
        set dstaddr "all"
        set service "capwap_udp"
        set schedule "always"
    next
end

Regarding the XSS vulnerability, to prevent a successful attacker from 
hijacking your user session in the GUI, make sure to restrict your Trusted 
Hosts to your IP address only:

Single-vdom configuration: System->Admin->Administrators
Multi-vdoms configuration: Global->Admin->Administrators

Contact: psirt@fortinet.com

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVNQYeRLndAQH1ShLAQIz1xAAocvvDhgck5uV4OwI7xTI8IZRxpbf0v/1
BcCtMvtROdZW2EYJC0iXDhEkuxneB/IW/qXhq8fMsx4iWNr3Ye6WuZEHSqRtS+49
+i/UYI+Nip5T9zESRuxwUOsWz9oeUubSgmP46VUNUFoqS38UVE5euQUJCNLSIxl2
Dk+/0poaZvONbL3qG2py2ZYdxiZCOly+kHBJJVnG+qXQwJEZiLVRc3wrGUf3eB3u
0IYFnYKaaG3SjkRsA5wt9mSRaQ0Yu58PxIHB/zvbEZU39OXFqs011gKj96U07t//
0N2DsRkM6hWKZS4GFGuiwK6g62hvev3xi+1cZlSURqZXPUa4w3uAZROjKoKlVhpX
s5zr30+rUrvaHiv8BOBsjUlfIVp/tL29bDWKsm4dJFgAmvMd/I06DstrDncrshWQ
8Wib/E356FK3jQ7e/KfLbdyzolPacQBAbwsx6DyeZgzdI6wsH7OWsyOTR7SBvkdm
kdvTYdjYUQ0pCo3Sp4r4iki5gJdT5y38Jb6C3mBYLILbu1sE6TOoCTt7zirCJ4q/
R1mNgYB4MKqlHpr6GkEmHg9EXIdpgG3X76XtHSmMzSJtndm9Ry0URAweJOzbYk83
e4hdTriVpG9Q+zcJtHTt3sG3kvOSFqCuTrsyGRb7il4yAH04JCd3M4Q0lfTX945w
8etF1ENoaWQ=
=IBP1
-----END PGP SIGNATURE-----