Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2786 FortiOS Multiple vulnerabilities 26 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: FortiOS Publisher: Fortiguard Operating System: Network Appliance Impact/Access: Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Mitigation Original Bulletin: https://fortiguard.com/psirt/FG-IR-16-090 https://fortiguard.com/psirt/FG-IR-19-111 Comment: This bulletin contains two (2) Fortiguard security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- FortiOS TCP timestamp response IR Number : FG-IR-16-090 Date : Jul 24, 2019 Risk : 1/5 Impact : Information Disclosure Summary FortiOS by default enables TCP timestamp response, which may lead to information disclosure. The TCP timestamp response can be used to approximate the FortiOS device uptime, potentially aiding in further attacks. This may be used by an attacker to estimate if FortiOS has not been upgraded to the latest version, because upgrading resets the device's uptime. Impact Information Disclosure Affected Products FortiOS all versions, when TCP timestamp is enabled (default setting) Solutions FortiOS supports admin CLI console commands to disable the TCP timestamp: config system global set tcp-option disable /* enable is the default value */ end Disabling tcp-option will strip TCP header Timestamp, Selective Acknowledgements (SACK) and Window Scaling altogether which can lead performance penalty for services hosted on FortiOS under certain network environment. For details about the tcp-option, please refer to the Fortinet knowledge base: https://kb.fortinet.com/kb/documentLink.do?externalID=FD44724 ============================================================================== FortiOS malformed HTTP or SSL/TLS traffic control IR Number : FG-IR-19-111 Date : Jul 24, 2019 Risk : 3/5 Impact : Operational Risk, Traffic Bypass Summary FortiOS Explicit Web Proxy by default allows non-standard HTTP traffic. FortiOS SSL/SSH Inspection Profile by default allows non-standard SSL/TLS traffic. Impact Operational Risk, Traffic Bypass Affected Products By default, this possible operational risk is applicable to all FortiOS versions. Solutions Non standard HTTP traffic can be disallowed with the following CLI commands: config web-proxy global set tunnel-non-http disable (default value "enable") end Non standard SSL/TLS traffic can be disallowed with the following CLI commands: config firewall ssl-ssh-profile edit [profile-name] config [protocols] set ports [port] set unsupported-ssl block (default value "bypass") end end Starting from 6.2.1, FortiOS allows administrators to disallow both via the admin WebUI as well: For Explicit Web Proxy: Network -> Explicit Proxy -> Protocol Enforcement (default is off) For SSL/SSH Inspection: Security Profiles -> SSL/SSH Inspection ->Enforce SSL Protocol Compliance (default is off) Acknowledgement Fortinet thank security research company Praetorian bringing this attention to us with certain proofs. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXTo7sWaOgq3Tt24GAQgF4BAAvemVIEVEqPaUe9h36/qB2F0+gfkCtsxG Vk/4nzP7uZNdliaiop985hHVumzZLdxDF8pGVYs8Qj1PwRo2qnnTSoQLJFOeoZii gjoJMcItgM7FACnJ5Yaqdw4vJcZ5h6zWFaOO2DdRQCiMsjG0u5/PzOabrK0LTHaV JNrRnNci+KU02fXlniPoMBDOtMW6HarlWfeC+z3hTa0N3Eynwung29EZs4QDMGJj 9Q4Sndf+4a0UJqIKP2tcaINxFUriboxJI1MJPdTLYcXFbNc15fRhJMDMCJcJjgnn Zq+nHwsmX3un23sJOXRI3zvkKyd8EjawGNidjJZKjwBO8vErL2tfCG4DFzZvJ9cH 2NeWIHIx/QF1W7c8iYG2aHVCV9gXW7DdALg9ToEiOATRPUrdfk9K5FPZiGa20nhn FykXupSqrpzwRdkHx6X1MkrYzE/CBlwhZi11uXK7K87Fvr32PSHfw5opftDkRuKr TQfjAM+dLWivab9zG7Q8H+OA3yMjqSvIepd6HklBl4ZCJYBwfG2Y7krASeWD1boM 0P8Uw5ux3OYSdYNwvh40gjBE0VLDdYBZpge+ca9UQiLzl1AyT08N3uJCLAg811sQ Jd5uXEtcB8vBfw8EHReryGe1FlXbfyrh0MabVSfJVmI5TImNPUIJoEjUQo6Ior4Z iz6dpYUaYsQ= =oGFt -----END PGP SIGNATURE-----