Application control block page leaks private IP and hostname
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-18-085
Final
1
1
2018-08-23T00:00:00
Current version
2018-08-23T00:00:00
2018-08-23T00:00:00
The default replacement message in FortiOS' Application control block page reveals the private IP as well as the hostname of the FortiGate.
Information disclosure
FortiOS 5.6.5, 6.0.1 and below.
Upgrade to FortiOS 5.6.6, 6.0.2 or laterWork around:All the replacement messages are configurable by the administrators. The default replacement messages are just templates. An administrator can easily change them to suit their needs. For example, remove the server/client IPs and FortiOS host names.
Fortinet is pleased to thank Anandraj Amaran Security Researcher,22by7 solutions (22by7.in)Â and Mark Oakton at Infosec Partners for reporting this vulnerability under responsible disclosure.
FortiOS 6.0.1
FortiOS 6.0.0
FortiOS 5.6.5
FortiOS 5.6.4
FortiOS 5.6.3
FortiOS 5.6.2
FortiOS 5.6.1
FortiOS 5.6.0
Application control block page leaks private IP and hostname
CVE-2018-13365
FortiOS-6.0.1
FortiOS-6.0.0
FortiOS-5.6.5
FortiOS-5.6.4
FortiOS-5.6.3
FortiOS-5.6.2
FortiOS-5.6.1
FortiOS-5.6.0
5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:X/RC:X
https://fortiguard.fortinet.com/psirt/FG-IR-18-085
Application control block page leaks private IP and hostname
Reference>