FortiGate privilege escalation through restore config Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-17-053 Final 1 1 2019-11-14T00:00:00 Current version 2019-11-14T00:00:00 2019-11-14T00:00:00 A privilege escalation vulnerability in FortiOS may allow admin users to elevate their profile to super_admin, via restoring modified configurations. Escalation of privilege FortiOS 6.0.0 to 6.0.6FortiOS 5.6.0 to 5.6.10FortiOS 5.4 all versions and below. FortiOS 6.0 upgrade to 6.0.7 or 6.2.0 and aboveFortiOS 5.6 upgrade to 5.6.11 and aboveFortiOS 5.4 and below upgrade to 5.6.11 or aboveWorkarounds:The conditions to achieve privilege escalation via this vulnerability are as follows:* Regular mode (no VDOM):The user's profile "Administrator Users" and "Maintenance" privileges are both set to "read-write"* VDOM mode:The user's profile "Administrator Users" and "Maintenance" privileges are both set to "read-write", and the user's profile's scope is set to "global"The following CLI commands prevent those conditions to be met:* Regular mode:config system accprofile edit [profile-name] set sysgrp custom config sysgrp-permission set admin none set mnt none end nextend* VDOM mode:config system accprofile edit [profile-name] set scope vdom set sysgrp custom config sysgrp-permission set admin none set mnt none end nextendRevision History:04-02-2019 Initial version08-21-2019 New fix on 5.6.11 released.11-14-2019 New fix on 6.0.7 released.05-22-2020 Add Reference. https://fortiguard.fortinet.com/psirt/FG-IR-17-053 FortiGate privilege escalation through restore config https://kb.fortinet.com/kb/documentLink.do?externalID=FD45563 https://kb.fortinet.com/kb/documentLink.do?externalID=FD45563 Fortinet is pleased to thank independent researcher youssef El GARROUM for reporting this vulnerability under responsible disclosure. CVE-2017-17544 5.3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:F/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-17-053 FortiGate privilege escalation through restore config Reference> https://kb.fortinet.com/kb/documentLink.do?externalID=FD45563 https://kb.fortinet.com/kb/documentLink.do?externalID=FD45563