ZebOS routing remote shell service enabled

ZebOS routing remote shell service enabled

Description

A remote attacker may access the internal ZebOS shell of FortiOS 5.2.3 without authentication on the HA ("High Availability") dedicated management interface only.
Only FortiGates configured with HA *and* with an enabled HA dedicated management interface are vulnerable.
Note: when a FortiGate is configured to use HA, the dedicated management interface is disabled by default .

Impact Detail

Mitigating factors: A vulnerable custom configuration would require to have HA enabled in the System Config HA menu with the mode setting set to Active-Passive or Active-Active *and* the "Reserve Management Port for Cluster Member" checkbox ticked.
CLI custom HA active-passive configuration example that would be vulnerable:
config system ha
set group-name "TEST"
set mode a-p
set ha-mgmt-status enable
set ha-mgmt-interface "port4"
end

Affected Products

FortiGate v5.2.3 only.

Solutions

FortiOS 5.2.3 must be upgraded to FortiOS 5.2.4.
FortiOS 5.2.2 and lower are not affected.
FortiOS 5.0.12 and lower are not affected.
As a workaround the LAN access to the HA interface may be filtered by a transit firewall or not routed.

Acknowledgement

Thanks to Burda Digital Systems.