FortiOS CAPWAP server two vulnerabilities
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-15-002
Final
1
1
2015-02-05T00:00:00
Current version
2015-02-05T00:00:00
2015-02-05T00:00:00
Limitation of Capwap service, authenticated XSS
FortiOS with CAPWAP enabled:5.2.2 and below5.0.11 and below
Upgrade FortiOS to the following versions:5.4.05.2.35.0.12Workaround:Make sure CAPWAP is disabled if not needed:show system interfaceMust not display "capwap" in the "allowaccess" entry. If it is present, the interface must be re-configured without capwap. For instance:config system interface   edit "port1"       set allowaccess ssh https   endendIf CAPWAP is needed, the XSS vulnerability have been fixed starting with FortiOS 5.2.3.Otherwise the following workarounds apply:Regarding the DoS condition and the XSS vulnerability: Use a local-in policy to restrict access to the CAPWAP server to IP addresses of legitimate APs. Forinstance, to authorize only the 192.168.1.0/24 subnet:config firewall address   edit "lan_subnet"   set subnet 192.168.1.0 255.255.255.0   nextendconfig firewall service custom   edit "capwap_udp"       set udp-portrange 5246   nextendconfig firewall local-in-policy   edit 0       set intf "any"       set srcaddr "lan_subnet"       set dstaddr "all"       set service "capwap_udp"       set schedule "always"   nextendRegarding the XSS vulnerability, to prevent a successful attacker from hijacking your user session in the GUI, make sure to restrict your Trusted Hosts to your IP address only:Single-vdom configuration: System->Admin->AdministratorsMulti-vdoms configuration: Global->Admin->Administrators
FortiOS CAPWAP server two vulnerabilities
CVE-2015-1451
CVE-2015-1452
https://fortiguard.fortinet.com/psirt/FG-IR-15-002
FortiOS CAPWAP server two vulnerabilities
Reference>