PSIRT Advisories

FortiOS malformed HTTP or SSL/TLS traffic control

Summary

FortiOS Explicit Web Proxy by default allows non-standard HTTP traffic. 


FortiOS SSL/SSH Inspection Profile by default allows non-standard SSL/TLS traffic.

Affected Products

By default, this possible operational risk is applicable to all FortiOS versions.

Solutions

Non standard HTTP traffic can be disallowed with the following CLI commands:


config web-proxy global 

set tunnel-non-http disable (default value "enable")

end 


Non standard SSL/TLS traffic can be disallowed with the following CLI commands:


config firewall ssl-ssh-profile 

edit [profile-name] 

config [protocols]

set ports [port]

set unsupported-ssl block (default value "bypass")

end 

end


Starting from 6.2.1, FortiOS allows administrators to disallow both via the admin WebUI as well:


For Explicit Web Proxy: Network -> Explicit Proxy -> Protocol Enforcement (default is off)


For SSL/SSH Inspection: Security Profiles -> SSL/SSH Inspection ->Enforce SSL Protocol Compliance (default is off)

Acknowledgement

Fortinet thank security research company Praetorian bringing this attention to us with certain proofs.