PSIRT Advisory
FortiOS malformed HTTP or SSL/TLS traffic control
Summary
FortiOS Explicit Web Proxy by default allows non-standard HTTP traffic.
FortiOS SSL/SSH Inspection Profile by default allows non-standard SSL/TLS traffic.
Impact
Operational Risk, Traffic Bypass
Affected Products
By default, this possible operational risk is applicable to all FortiOS versions.
Solutions
Non standard HTTP traffic can be disallowed with the following CLI commands:
config web-proxy global
set tunnel-non-http disable (default value "enable")
end
Non standard SSL/TLS traffic can be disallowed with the following CLI commands:
config firewall ssl-ssh-profile
edit [profile-name]
config [protocols]
set ports [port]
set unsupported-ssl block (default value "bypass")
end
end
Starting from 6.2.1, FortiOS allows administrators to disallow both via the admin WebUI as well:
For Explicit Web Proxy: Network -> Explicit Proxy -> Protocol Enforcement (default is off)
For SSL/SSH Inspection: Security Profiles -> SSL/SSH Inspection ->Enforce SSL Protocol Compliance (default is off)
Acknowledgement
Fortinet thank security research company Praetorian bringing this attention to us with certain proofs.