FortiOS CAPWAP server two vulnerabilities Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-15-002 Final 1 1 2015-02-05T00:00:00 Current version 2015-02-05T00:00:00 2015-02-05T00:00:00 Limitation of Capwap service, authenticated XSS FortiOS with CAPWAP enabled:5.2.2 and below5.0.11 and below Upgrade FortiOS to the following versions:5.4.05.2.35.0.12Workaround:Make sure CAPWAP is disabled if not needed:show system interfaceMust not display "capwap" in the "allowaccess" entry. If it is present, the interface must be re-configured without capwap. For instance:config system interface   edit "port1"       set allowaccess ssh https   endendIf CAPWAP is needed, the XSS vulnerability have been fixed starting with FortiOS 5.2.3.Otherwise the following workarounds apply:Regarding the DoS condition and the XSS vulnerability: Use a local-in policy to restrict access to the CAPWAP server to IP addresses of legitimate APs. Forinstance, to authorize only the 192.168.1.0/24 subnet:config firewall address   edit "lan_subnet"   set subnet 192.168.1.0 255.255.255.0   nextendconfig firewall service custom   edit "capwap_udp"       set udp-portrange 5246   nextendconfig firewall local-in-policy   edit 0       set intf "any"       set srcaddr "lan_subnet"       set dstaddr "all"       set service "capwap_udp"       set schedule "always"   nextendRegarding the XSS vulnerability, to prevent a successful attacker from hijacking your user session in the GUI, make sure to restrict your Trusted Hosts to your IP address only:Single-vdom configuration: System->Admin->AdministratorsMulti-vdoms configuration: Global->Admin->Administrators CVE-2015-1451 CVE-2015-1452 https://fortiguard.fortinet.com/psirt/FG-IR-15-002 FortiOS CAPWAP server two vulnerabilities Reference>