06 January 2020
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1823.2 FortiOS SSL VPN web portal Host Header Redirection 6 January 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Fortinet SSL VPN Publisher: Fortinet Operating System: Network Appliance Impact/Access: Provide Misleading Information -- Remote with User Interaction Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-13384 Original Bulletin: https://fortiguard.com/psirt/FG-IR-19-002 Revision History: January 6 2020: New fix on 5.2.15 released May 22 2019: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- FortiOS SSL VPN web portal Host Header Redirection IR Number : FG-IR-19-002 Date : May 17, 2019 Risk : 2/5 Impact : Improper Access Control CVE ID : CVE-2018-13384 Summary A Host Header Redirection vulnerability exists in FortiOS SSL-VPN web portal: when an attacker submits specially crafted HTTP requests, the SSL-VPN web portal may respond with a redirection to websites specified by the attacker. If a web proxy's cache is poisoned with the aforementioned redirection, users of this web proxy may be directed to the attacker's specified websites when trying to access the SSL-VPN web portal. Impact Improper Access Control Affected Products FortiOS 5.4.0 to 6.0.4, 5.2.14 and below. Solutions Upgrade to FortiOS 5.2.15, 6.0.5 or 6.2.0 Workarounds: The risk is low as the attack needs to be combined with other attacks to have an impact. As a measure of precaution, administrators may want to disable the SSL-VPN web portal service by applying the following CLI commands: config vpn ssl settings unset source-interface end Revision History: 2019-05-17 Initial version 2020-01-03 New fix on 5.2.15 released. Acknowledgement Fortinet is pleased to thank Julio Sanchez from SecureAuth Corporation for reporting this vulnerability under responsible disclosure. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to email@example.com and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXhLEHWaOgq3Tt24GAQicchAAonxTDKUuGdrljxS9bTCbaA7cuLeKMlQk ATjHbd84S7Fm9UjjGSP2lBpv8rU2/Cf0lC++pAXpkKfQD9nEZWvCRpsr88xKHd6r KYyWdHFOCV2eZgHZjsKQgte1lByCJ/0zQyFGKQlyLHmsBhHEwSuA8Nx8zmcLWT3K IM20PxNEP49KGEKRO3Z5zGXw8Ja/cr8TN7jGMKuG4Uud5TnfQ7WSagA6U40rE+ai iThTpNpINoobtpYCkz3J5gZn8py6n09duNyuYybLG9p6kkH9n3P64pZTPl+AOn6y kc2G9jS1FPjkw6sIwVpUb+i7yuHt2wkhkaWmf9z637Kvlt0J4WYxq6Sstx9Z4yQC mW8l1oxaVrnO6IHg6uz/LzXetAtwuoh5g5rjmk5sMd3J1PCJowQGaDw22yCR8j79 mv1ER8pYYn+zZLW11HyKUJu6vt6Rpx+g+UMlt8m9Xggi1HM59xok/irRbfOxE3Os NThHxbLIMB2leNfMmFUu58CoNZ+oonTeHhIYxKmVgpVzo+CHR4WTNIysRnXJb9tF ELpiXb4DQ7u42AY7+GQflh0qQeepjEdsxRYWtWLv7QqJTYup1d+KhZ8W2tWltnG9 2SPUlm8tqeSYwvJqLlBG3kQq8XdLjkMtQHCEg/RQzBq2ECRgkcJz9+U0P4xqR4xs sFnmXuxJ7MI= =l4sC -----END PGP SIGNATURE-----