==================================================================== CERT-Renater Note d'Information No. 2021/VULN136 _____________________________________________________________________ DATE : 04/03/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running FortiProxy versions prior to 2.0.1, 1.2.10. ===================================================================== https://www.fortiguard.com/psirt/FG-IR-20-224 https://www.fortiguard.com/psirt/FG-IR-20-235 https://www.fortiguard.com/psirt/FG-IR-20-236 _____________________________________________________________________ FortiProxy SSL VPN user credential plaintext storage Summary A cleartext storage in a file or on disk (CWE-313) vulnerability in FortiProxy SSL VPN may allow an attacker to retrieve a logged-in SSL VPN user's credentials, should that attacker be able to read the session file stored on the targeted device's system. To successfully exploit this weakness, another unrelated weakness (eg: a system file leaking vulnerability) would need to be exploited first. Impact Information Disclosure Affected Products FortiProxy version 2.0.0 FortiProxy versions 1.2.9 and below. FortiProxy versions 1.1.6 and below. FortiProxy versions 1.0.7 and below. Solutions Please upgrade to FortiProxy versions 2.0.1 or above. Please upgrade to FortiProxy versions 1.2.10 or above. _____________________________________________________________________ FortiProxy SSL-VPN Improper Access Control vulnerability through the Quick connection functionality Summary An improper access control vulnerability in FortiProxy SSL VPN portal may allow an authenticated, remote attacker to access internal service such as the ZebOS Shell on the FortiProxy appliance through the Quick Connection functionality. Impact Improper Access Control Affected Products FortiProxy version 2.0.0 FortiProxy versions 1.2.9 and below. FortiProxy versions 1.1.6 and below. FortiProxy versions 1.0.7 and below. Solutions Please upgrade to FortiProxy versions 2.0.1 or above. Please upgrade to FortiProxy versions 1.2.10 or above. Acknowledgement Internally discovered and reported by the Fortinet PSIRT Team. _____________________________________________________________________ Potential sensitive information can be displayed in cleartext in FortiProxy CLI window Summary A cleartext storage of sensitive information vulnerability in FortiProxy command line interface may allow an authenticated attacker to obtain sensitive information such as VPN user's passwords by connecting to FortiProxy CLI and executing the "diagnose sys ha checksum show" command. Impact Information Disclosure Affected Products FortiProxy version 2.0.0 FortiProxy versions 1.2.9 and below. FortiProxy versions 1.1.6 and below. FortiProxy versions 1.0.7 and below. Solutions Please upgrade to FortiProxy versions 2.0.1 or above. Please upgrade to FortiProxy versions 1.2.10 or above. Acknowledgement Fortinet is pleased to thank Shaun Farrow for reporting this vulnerability under responsible disclosure. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================