PSIRT Advisory

FortiOS admin privilege escalation via restoring configs

Summary

A privilege escalation vulnerability in FortiOS may allow admin users to elevate their profile to super_admin, via restoring modified configurations.

Impact

Privilege Escalation

Affected Products

FortiOS 6.0.0 to 6.0.6

FortiOS 5.6.0 to 5.6.10

FortiOS 5.4 all versions and below.

Solutions

FortiOS 6.0 upgrade to 6.0.7 or 6.2.0 and above

FortiOS 5.6 upgrade to 5.6.11 and above

FortiOS 5.4 and below upgrade to 5.6.11 or above

Workarounds

The conditions to achieve privilege escalation via this vulnerability are as follows:

* Regular mode (no VDOM):

The user's profile "Administrator Users" and "Maintenance" privileges are both set to "read-write"

* VDOM mode:

The user's profile "Administrator Users" and "Maintenance" privileges are both set to "read-write", and the user's profile's scope is set to "global"

The following CLI commands prevent those conditions to be met:

* Regular mode:

config system accprofile
    edit [profile-name]
        set sysgrp custom
        config sysgrp-permission
            set admin none
            set mnt none
        end
    next
end

* VDOM mode:

config system accprofile
    edit [profile-name]
        set scope vdom
        set sysgrp custom
        config sysgrp-permission
            set admin none
            set mnt none
        end
    next
end

Revision History:

04-02-2019 Initial version
08-21-2019 New fix on 5.6.11 released.
11-14-2019 New fix on 6.0.7 released.
05-22-2020 Add Reference.

Acknowledgement

Fortinet is pleased to thank independent researcher youssef El GARROUM for reporting this vulnerability under responsible disclosure.

References

• https://kb.fortinet.com/kb/documentLink.do?externalID=FD45563