FortiOS admin privilege escalation via restoring configs
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-17-053
Final
1
1
2019-11-14T00:00:00
Current version
2019-11-14T00:00:00
2019-11-14T00:00:00
A privilege escalation vulnerability in FortiOS may allow admin users to elevate their profile to super_admin, via restoring modified configurations.
Privilege Escalation
FortiOS 6.0.0 to 6.0.6 FortiOS 5.6.0 to 5.6.10 FortiOS 5.4 all versions and below.
FortiOS 6.0 upgrade to 6.0.7 or 6.2.0 and above FortiOS 5.6 upgrade to 5.6.11 and above FortiOS 5.4 and below upgrade to 5.6.11 or above Workarounds: The conditions to achieve privilege escalation via this vulnerability are as follows: * Regular mode (no VDOM): The user's profile "Administrator Users" and "Maintenance" privileges are both set to "read-write" * VDOM mode: The user's profile "Administrator Users" and "Maintenance" privileges are both set to "read-write", and the user's profile's scope is set to "global" The following CLI commands prevent those conditions to be met: * Regular mode: config system accprofile edit [profile-name] set sysgrp custom config sysgrp-permission set admin none set mnt none end next end * VDOM mode: config system accprofile edit [profile-name] set scope vdom set sysgrp custom config sysgrp-permission set admin none set mnt none end next end Revision History: 04-02-2019 Initial version 08-21-2019 New fix on 5.6.11 released. 11-14-2019 New fix on 6.0.7 released. 05-22-2020 Add Reference.
https://fortiguard.fortinet.com/psirt/FG-IR-17-053
FortiOS admin privilege escalation via restoring configs
https://kb.fortinet.com/kb/documentLink.do?externalID=FD45563
https://kb.fortinet.com/kb/documentLink.do?externalID=FD45563
Fortinet is pleased to thank independent researcher youssef El GARROUM for reporting this vulnerability under responsible disclosure.
FortiOS 6.2.0
FortiOS 6.0.7
FortiOS 6.0.6
FortiOS 6.0.5
FortiOS 6.0.4
FortiOS 6.0.3
FortiOS 6.0.2
FortiOS 6.0.1
FortiOS 6.0.0
FortiOS 5.6.10
FortiOS 5.6.9
FortiOS 5.6.8
FortiOS 5.6.7
FortiOS 5.6.6
FortiOS 5.6.5
FortiOS 5.6.4
FortiOS 5.6.3
FortiOS 5.6.2
FortiOS 5.6.1
FortiOS 5.6.0
FortiOS 5.4.13
FortiOS 5.4.12
FortiOS 5.4.11
FortiOS 5.4.10
FortiOS 5.4.9
FortiOS 5.4.8
FortiOS 5.4.7
FortiOS 5.4.6
FortiOS 5.4.5
FortiOS 5.4.4
FortiOS 5.4.3
FortiOS 5.4.2
FortiOS 5.4.1
FortiOS 5.4.0
FortiOS admin privilege escalation via restoring configs
CVE-2017-17544
FortiOS-6.2.0
FortiOS-6.0.7
FortiOS-6.0.6
FortiOS-6.0.5
FortiOS-6.0.4
FortiOS-6.0.3
FortiOS-6.0.2
FortiOS-6.0.1
FortiOS-6.0.0
FortiOS-5.6.10
FortiOS-5.6.9
FortiOS-5.6.8
FortiOS-5.6.7
FortiOS-5.6.6
FortiOS-5.6.5
FortiOS-5.6.4
FortiOS-5.6.3
FortiOS-5.6.2
FortiOS-5.6.1
FortiOS-5.6.0
FortiOS-5.4.13
FortiOS-5.4.12
FortiOS-5.4.11
FortiOS-5.4.10
FortiOS-5.4.9
FortiOS-5.4.8
FortiOS-5.4.7
FortiOS-5.4.6
FortiOS-5.4.5
FortiOS-5.4.4
FortiOS-5.4.3
FortiOS-5.4.2
FortiOS-5.4.1
FortiOS-5.4.0
5.3
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:F/RL:X/RC:X
https://fortiguard.fortinet.com/psirt/FG-IR-17-053
FortiOS admin privilege escalation via restoring configs
Reference>
https://kb.fortinet.com/kb/documentLink.do?externalID=FD45563
https://kb.fortinet.com/kb/documentLink.do?externalID=FD45563