FortiOS and FortiClient Man-In-The-Middle Attack privilege escalation vulnerability (CVE-2018-9195)

Posted by Author Dhiren Vaghela on Posted on

Summary:

FortiOS has been reported with an unquoted service path vulnerability. FortiClient FortiTray of FortiClientConsole executable service path is the vulnerable component that leads to escalated privileges.

Description:

For Mac and Windows Fortigate products like FortiOS for FortiGate firewalls and the FortiClient endpoint antivirus.,uses a weak encryption cipher (XOR) and hardcoded cryptographic keys to communicate with various FortiGate cloud services. This may allow a Man in the middle with knowledge of the key to manipulate on and modify information sent and received from Fortiguard severs by decrypting these messages.

Fortinet products send information to Fortinet servers on UDP ports 53, 8888 and TCP port 80 (HTTP POST /fgdsvc)

The messages are encrypted using XOR “encryption” with a static key. The protocol messages contains a serial number of the Fortinet product installation (product type + unique ID)

An attacker could use this vulnerability to sniff users’ traffic and track their browsing history or email data. Researchers discovered and reported these issues in May 2018, but it took Fortinet 10 to 18 months to delete the hard-coded keys.

By intercepting and manipulating internet traffic an attacker can manipulate the responses for FortiGuard Web Filter, AntiSpam and AntiVirus features.

Affected Products:

All versions below FortiOS 6.0.8

All versions below FortiOS 5.6.12

All versions below FortiClientWindows 6.2.0

All versions below FortiClientMac 6.2.2

Advisory:

https://fortiguard.com/psirt/FG-IR-18-100

Mitigation:

Upgrade to FortiOS 6.0.8 and upper version or 5.6.12 then manually change the configuration to use TLS as communication protocol with FortiGuard servers after upgrade or do a fresh install to get the new default which is the TLS based system.

For AV communication exposure on FortiOS 6.0 and above; the only impact is if outbreak protection is enabled in the antivirus profile settings. This is the only part of AV which makes a real-time FortiGuard request.

Upgrade to FortiClientWindows 6.2.0 or FortiClientMac 6.2.2 then change EMS configuration in the Endpoint Profile to use “FortiGuard Anycast”. The new option is provided for Web Filter tab, as well as System Settings tab.

Qualys customers can scan their network with QID(s)# 372278 to detect vulnerable assets. Kindly continue to follow on Qualys Threat Protection for more coverage on vulnerabilities.

References & Sources:

  • https://packetstormsecurity.com/files/cve/CVE-2018-9195
  • https://fortiguard.com/psirt/FG-IR-18-100

Leave a Reply

Your email address will not be published. Required fields are marked *