PSIRT Advisories

FortiGate fails to block malformed HTTP/S traffic when transparent proxy is enabled

Summary

When traffic other than HTTP/S (eg: SSH traffic, etc...) traverses the FortiGate on port 80/443, it is not redirected to the transparent proxy policy for processing.

Affected Products

Issue is observed only when the traffic is redirected to transparent proxy policy.


FortiGate versions 6.4.2 and below.

FortiGate versions 6.2.5 and below.

Solutions

Please upgrade to FortiGate version 6.4.3 or above.



Workaround:


To block invalid HTTP traffic on port 80, disable the tunnel-non-http setting:


config web-proxy global 

set tunnel-non-http disable 

end 



To block invalid HTTPS traffic on port 443, set the unsupported-ssl setting to "block": 


config firewall ssl-ssh-profile 

edit [profile-name] 

config https

set ports 443

set unsupported-ssl block 

end 

end

Acknowledgement

Fortinet is pleased to thank Marko Winkler, Tobias Leydow, Marcus Schiefer and Sebastian Toth of T-Systems Multimedia Solutions GmbH for reporting this vulnerability under responsible disclosure.