PSIRT Advisories

FortiAuthenticator multiple vulnerabilities

Impact Detail

Older versions of FortiAuthenticator are subject to three vulnerabilities:
1. Local passwords disclosure: Upon booting, passwords for local accounts (eg: PostgreSQL) are logged to the startup debug logs. These local accounts can however only be accessed by a user who already has shell access to the FortiAuthenticator.
2. Local file system disclosure: An admin user with CLI access can view local files on the local filesystem by using the -f option of the dig command.
3. Reflected XSS: A remote attacker can perform a reflected XSS attack via an improperly sanitized parameter.
Note:
The "subshell bypass" vulnerability claimed by security-assessment.com (CVE-2015-1458) is not acknowledged as a vulnerability by Fortinet: A support-provided debug-kit is needed to write the "'/tmp/privexec/dbgcore_enable_shell_access" file from an admin account, and in turn obtain root shell. This is a feature used for advanced troubleshooting.

Affected Products

Password disclosure and local file disclosure (CVE-2015-1456, CVE-2015-1455, CVE-2015-1457) affect FortiAuthenticator lower than 3.2.0Reflected XSS (CVE-2015-1459) affect FortiAuthenticator lower than 3.2.1

Solutions

Upgrade to FortiAuthenticator 3.2.1 or higher.