PSIRTFirewall session injection in FGSP
Summary
An improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in FortiOS may allow an unauthenticated attacker to inject unauthorized sessions via crafted FGSP session synchronization packets.
| Version | Affected | Solution |
|---|---|---|
| FortiOS 7.6 | 7.6.0 | Upgrade to 7.6.1 or above |
| FortiOS 7.4 | 7.4.0 through 7.4.5 | Upgrade to 7.4.6 or above |
| FortiOS 7.2 | 7.2 all versions | Migrate to a fixed release |
| FortiOS 7.0 | 7.0 all versions | Migrate to a fixed release |
| FortiOS 6.4 | 6.4 all versions | Migrate to a fixed release |
Workaround
Create local-in policies for restricting the access to port 708 only on FGSP session synchronization interface and to peers IP:
config firewall service custom
edit "FGSP"
set udp-portrange 708
next
end
config firewall addrgrp
edit "FGSP_Peer_IPs"
set member "my_allowed_addresses"
end
config firewall local-in-policy
edit 1
set intf
set srcaddr "FGSP_Peer_IPs"
set dstaddr "all"
set action accept
set service "FGSP"
set schedule "always"
next
edit 2
set intf "any"
set srcaddr "all"
set dstaddr "all"
set action deny
set service "FGSP"
set schedule "always"
next
end