[FortiOS] SSL VPN account hijack (unauthorized modification of users passwords) Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-18-389 Final 1 1 2019-08-30T00:00:00 Current version 2019-08-30T00:00:00 2019-08-30T00:00:00 An Improper Authorization vulnerability in the SSL VPN web portal may allow an unauthenticated attacker to change the password of locally authenticated SSL VPN web portal users via specially crafted HTTP requests. Improper access control FortiOS 6.0.0 to 6.0.4 FortiOS 5.6.0 to 5.6.8 FortiOS 5.4.1 to 5.4.10only if the SSL VPN service (web-mode or tunnel-mode) is enabled and users with local authentication are affected (SSL VPN users with remote authentication (LDAP or RADIUS) are not impacted).Versions 5.4.0 and below (including branch 5.2) are not affected. Upgrade to FortiOS 5.4.11, 5.6.9, 6.0.5, 6.2.0 or above.Mitigation:SSL VPN users with local authentication can mitigate the impact by enabling Two-Factor Authentication (2FA): If their password is changed by an attacker leveraging this vulnerability, the attacker will not be able to log in and use their SSL VPN account.Workaround:The only workaround is to migrate SSL VPN user authentication from local to remote (LDAP or RADIUS), or totally disable the SSL-VPN service (both web-mode and tunnel-mode) by applying the following CLI commands:config vpn ssl settingsunset source-interfaceendNote that firewall policies tied to SSL VPN will need to be unset first for the above sequence to execute successfully.As an example, when source-interface is "port1" and SSL VPN interface is "ssl.root", the following CLI commands would be needed to ensure "unset source-interface" executes successfully:config vpn ssl settings config authentication-rulepurge (purge all authentication-rules)endendconfig firewall policy delete [policy-id] (SSL VPN policy ID(s) that srcintf is "ssl.root" and dstintf is "port1")endRevision History:2019-05-24 Initial version2019-06-04 Clarified the affected versions and workarounds.2019-08-30 Add two-factor authentication (2FA) mitigation.2019-08-30 Add public disclosure reference link. https://fortiguard.fortinet.com/psirt/FG-IR-18-389 [FortiOS] SSL VPN account hijack (unauthorized modification of users passwords) https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html Fortinet is pleased to thank Meh Chang and Orange Tsai from DEVCORE Security Research Team for reporting this vulnerability under responsible disclosure. CVE-2018-13382 8.9 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:F/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-18-389 [FortiOS] SSL VPN account hijack (unauthorized modification of users passwords) Reference> https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html