FortiOS & FortiProxy – Authorization bypass in SSLVPN bookmarks

Summary

An authorization bypass through user-controlled key vulnerability [CWE-639] in FortiOS and FortiProxy SSLVPN may allow an authenticated attacker to gain access to another user’s bookmark via URL manipulation.

Version Affected Solution
FortiOS 7.4 7.4.0 through 7.4.1 Upgrade to 7.4.2 or above
FortiOS 7.2 7.2.0 through 7.2.6 Upgrade to 7.2.7 or above
FortiOS 7.0 7.0.1 through 7.0.13 Upgrade to 7.0.14 or above
FortiOS 6.4 6.4.7 through 6.4.14 Upgrade to 6.4.15 or above
FortiProxy 7.4 7.4.0 through 7.4.2 Upgrade to 7.4.3 or above
FortiProxy 7.2 7.2.0 through 7.2.8 Upgrade to 7.2.9 or above
FortiProxy 7.0 7.0.0 through 7.0.14 Upgrade to 7.0.15 or above
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

Workaround:
Disable SSL VPN web mode.

Acknowledgement

Internally discovered and reported by Kai Ni from Burnaby InfoSec team.

Timeline

2024-03-01: Initial publication