-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.2786
                     FortiOS Multiple vulnerabilities
                               26 July 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           FortiOS
Publisher:         Fortiguard
Operating System:  Network Appliance
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
                   Reduced Security         -- Remote/Unauthenticated
Resolution:        Mitigation

Original Bulletin: 
   https://fortiguard.com/psirt/FG-IR-16-090
   https://fortiguard.com/psirt/FG-IR-19-111

Comment: This bulletin contains two (2) Fortiguard security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

FortiOS TCP timestamp response

IR Number : FG-IR-16-090

Date      : Jul 24, 2019

Risk      : 1/5

Impact    : Information Disclosure

Summary

FortiOS by default enables TCP timestamp response, which may lead to
information disclosure.


The TCP timestamp response can be used to approximate the FortiOS device
uptime, potentially aiding in further attacks. This may be used by an attacker
to estimate if FortiOS has not been upgraded to the latest version, because
upgrading resets the device's uptime.

Impact

Information Disclosure

Affected Products

FortiOS all versions, when TCP timestamp is enabled (default setting)

Solutions

FortiOS supports admin CLI console commands to disable the TCP timestamp:


config system global

set tcp-option disable /* enable is the default value */

end


Disabling tcp-option will strip TCP header Timestamp, Selective
Acknowledgements (SACK) and Window Scaling altogether which can lead
performance penalty for services hosted on FortiOS under certain network
environment.


For details about the tcp-option, please refer to the Fortinet knowledge base:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD44724

==============================================================================

FortiOS malformed HTTP or SSL/TLS traffic control

IR Number : FG-IR-19-111

Date      : Jul 24, 2019

Risk      : 3/5

Impact    : Operational Risk, Traffic Bypass

Summary

FortiOS Explicit Web Proxy by default allows non-standard HTTP traffic.


FortiOS SSL/SSH Inspection Profile by default allows non-standard SSL/TLS
traffic.

Impact

Operational Risk, Traffic Bypass

Affected Products

By default, this possible operational risk is applicable to all FortiOS
versions.

Solutions

Non standard HTTP traffic can be disallowed with the following CLI commands:


config web-proxy global

set tunnel-non-http disable (default value "enable")

end


Non standard SSL/TLS traffic can be disallowed with the following CLI commands:


config firewall ssl-ssh-profile

edit [profile-name]

config [protocols]

set ports [port]

set unsupported-ssl block (default value "bypass")

end

end


Starting from 6.2.1, FortiOS allows administrators to disallow both via the
admin WebUI as well:


For Explicit Web Proxy: Network -> Explicit Proxy -> Protocol Enforcement
(default is off)


For SSL/SSH Inspection: Security Profiles -> SSL/SSH Inspection ->Enforce SSL
Protocol Compliance (default is off)

Acknowledgement

Fortinet thank security research company Praetorian bringing this attention to
us with certain proofs.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXTo7sWaOgq3Tt24GAQgF4BAAvemVIEVEqPaUe9h36/qB2F0+gfkCtsxG
Vk/4nzP7uZNdliaiop985hHVumzZLdxDF8pGVYs8Qj1PwRo2qnnTSoQLJFOeoZii
gjoJMcItgM7FACnJ5Yaqdw4vJcZ5h6zWFaOO2DdRQCiMsjG0u5/PzOabrK0LTHaV
JNrRnNci+KU02fXlniPoMBDOtMW6HarlWfeC+z3hTa0N3Eynwung29EZs4QDMGJj
9Q4Sndf+4a0UJqIKP2tcaINxFUriboxJI1MJPdTLYcXFbNc15fRhJMDMCJcJjgnn
Zq+nHwsmX3un23sJOXRI3zvkKyd8EjawGNidjJZKjwBO8vErL2tfCG4DFzZvJ9cH
2NeWIHIx/QF1W7c8iYG2aHVCV9gXW7DdALg9ToEiOATRPUrdfk9K5FPZiGa20nhn
FykXupSqrpzwRdkHx6X1MkrYzE/CBlwhZi11uXK7K87Fvr32PSHfw5opftDkRuKr
TQfjAM+dLWivab9zG7Q8H+OA3yMjqSvIepd6HklBl4ZCJYBwfG2Y7krASeWD1boM
0P8Uw5ux3OYSdYNwvh40gjBE0VLDdYBZpge+ca9UQiLzl1AyT08N3uJCLAg811sQ
Jd5uXEtcB8vBfw8EHReryGe1FlXbfyrh0MabVSfJVmI5TImNPUIJoEjUQo6Ior4Z
iz6dpYUaYsQ=
=oGFt
-----END PGP SIGNATURE-----