FortiOS multiple pre-authentication Information Disclosure

Summary

Multiple information exposure vulnerabilities in FortiOS may allow an unauthenticated attacker to perform some information gathering via parsing the HTTP headers, web portal certificate, and error messages. The exposed information includes the FortiGate's model, serial number and internal IP address.

Affected Products

* HTTP Server Header Information Disclosure:
FortiOS all versions before 6.0.4
* Admin web portal builtin certificate Information Disclosure:
FortiOS all versions before 6.2.3 when using builtin certificate as admin web portal server certificate
* Application Control Violation error message Information Disclosure:
FortiOS 6.0.1, 6.0.0, 5.6.6 and below

Solutions

* HTTP Server Header Information Disclosure: Upgrade to FortiOS versions 6.0.4 or above. * Admin web portal builtin certificate Information Disclosure Upgrade to FortiOS 6.2.3 or later versions [*] [*] For hardware FortiOS models, When upgrading from older versions to FortiOS 6.2.3 and self-signed certificates are used, admins need to re-apply the self-signed certificates (choose another cert and change back to self-signed) after the upgrade. This upgrading issue does not impact FortiOS VM models and is addressed in FortiOS 6.2.4. To verify the operation succeeded, set self-sign as admin webUI server certificate and read the cert detail through the web browser - the CN should be "FortiGate" instead the SN of the FortiGate device. * Application Control Violation error message Information Disclosure: Upgrade to FortiOS 5.6.6, 6.0.2 or later versions Workarounds: * HTTP Server Header Information Disclosure: Limit admin web portal access to local network only. * Admin web portal builtin certificate Information Disclosure: Upload and use a 3rd party signed certificate as admin web portal server certificate or Limit admin web portal access to local network only. * Application Control Violation error message Information Disclosure: Refer to https://fortiguard.com/psirt/FG-IR-18-085 Revision History: 2019-03-29 Initial release 2019-10-17 Fix the admin webUI builtin certificate SN leak issue.