FortiOS - Bypassing FortiGate security profiles via SNI in Client Hello
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-20-091
Final
1
1
2022-03-01T00:00:00
Current version
2022-03-01T00:00:00
2022-03-01T00:00:00
An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiOS may allow a privileged attacker to disclose sensitive information via SNI Client Hello TLS packets.
Improper access control
All FortiOS versions are impacted by this vulnerability.
Given that there is no systematic way to detect all exfiltration attempts and to exhaustively enumerate all possibilities offered by exfiltration channels, Fortinet has addressed the issue by releasing a set of IPS signatures: Python/SNICat.A!exploit https://www.fortiguard.com/encyclopedia/virus/10069638 SNIcat.Data.Exfiltration.Tool https://www.fortiguard.com/encyclopedia/ips/50952
https://fortiguard.fortinet.com/psirt/FG-IR-20-091
FortiOS - Bypassing FortiGate security profiles via SNI in Client Hello
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Bypassing-FortiGate-web-filter-profile-by-using/ta-p/200212
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Bypassing-FortiGate-web-filter-profile-by-using/ta-p/200212
FortiOS 6.4.3
FortiOS 6.4.2
FortiOS 6.4.1
FortiOS 6.4.0
FortiOS 6.2.5
FortiOS 6.2.4
FortiOS 6.2.3
FortiOS 6.2.2
FortiOS 6.2.1
FortiOS 6.2.0
FortiOS 6.0.11
FortiOS 6.0.10
FortiOS 6.0.9
FortiOS 6.0.8
FortiOS 6.0.7
FortiOS 6.0.6
FortiOS 6.0.5
FortiOS 6.0.4
FortiOS 6.0.3
FortiOS 6.0.2
FortiOS 6.0.1
FortiOS 6.0.0
FortiOS 5.6.13
FortiOS 5.6.12
FortiOS 5.6.11
FortiOS 5.6.10
FortiOS 5.6.9
FortiOS 5.6.8
FortiOS 5.6.7
FortiOS 5.6.6
FortiOS 5.6.5
FortiOS 5.6.4
FortiOS 5.6.3
FortiOS 5.6.2
FortiOS 5.6.1
FortiOS 5.6.0
FortiOS - Bypassing FortiGate security profiles via SNI in Client Hello
CVE-2020-15936
FortiOS-6.4.3
FortiOS-6.4.2
FortiOS-6.4.1
FortiOS-6.4.0
FortiOS-6.2.5
FortiOS-6.2.4
FortiOS-6.2.3
FortiOS-6.2.2
FortiOS-6.2.1
FortiOS-6.2.0
FortiOS-6.0.11
FortiOS-6.0.10
FortiOS-6.0.9
FortiOS-6.0.8
FortiOS-6.0.7
FortiOS-6.0.6
FortiOS-6.0.5
FortiOS-6.0.4
FortiOS-6.0.3
FortiOS-6.0.2
FortiOS-6.0.1
FortiOS-6.0.0
FortiOS-5.6.13
FortiOS-5.6.12
FortiOS-5.6.11
FortiOS-5.6.10
FortiOS-5.6.9
FortiOS-5.6.8
FortiOS-5.6.7
FortiOS-5.6.6
FortiOS-5.6.5
FortiOS-5.6.4
FortiOS-5.6.3
FortiOS-5.6.2
FortiOS-5.6.1
FortiOS-5.6.0
2.6
CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N/E:U/RL:X/RC:X
https://fortiguard.fortinet.com/psirt/FG-IR-20-091
FortiOS - Bypassing FortiGate security profiles via SNI in Client Hello
Reference>
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Bypassing-FortiGate-web-filter-profile-by-using/ta-p/200212
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Bypassing-FortiGate-web-filter-profile-by-using/ta-p/200212