===================================================================== CERT-Renater Note d'Information No. 2024/VULN463 _____________________________________________________________________ DATE : 13/11/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running FortiOS versions prior to 7.4.4, 7.2.9, 7.0.15, FortiProxy versions prior to 7.4.4, 7.2.10, 7.0.17, FortiManager,FortiPortal versions prior to 6.0.15, FortiPAM, FortiSwitchManager versions prior to 7.2.4, 7.0.4. ===================================================================== https://www.fortiguard.com/psirt/FG-IR-23-475 https://www.fortiguard.com/psirt/FG-IR-24-032 https://www.fortiguard.com/psirt/FG-IR-24-033 _____________________________________________________________________ FortiOS - SSLVPN session hijacking using SAML authentication Summary A session fixation vulnerability [CWE-384] in FortiOS may allow an unauthenticated attacker to hijack user session via a phishing SAML authentication link. Version Affected Solution FortiOS 7.4 7.4.0 through 7.4.3 Upgrade to 7.4.4 or above FortiOS 7.2 7.2.0 through 7.2.7 Upgrade to 7.2.8 or above FortiOS 7.0 7.0.0 through 7.0.13 Upgrade to 7.0.14 or above Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool Timeline 2024-11-12: Initial publication _____________________________________________________________________ SSLVPN WEB UI Text injection Summary An improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability [CWE-74] in FortiOS and FortiProxy SSL-VPN web user interface may allow a remote unauthenticated attacker to perform phishing attempts via crafted requests. Version Affected Solution FortiOS 7.6 Not affected Not Applicable FortiOS 7.4 7.4.0 through 7.4.3 Upgrade to 7.4.4 or above FortiOS 7.2 7.2.0 through 7.2.8 Upgrade to 7.2.9 or above FortiOS 7.0 7.0 all versions Migrate to a fixed release FortiProxy 7.4 7.4.0 through 7.4.3 Upgrade to 7.4.4 or above FortiProxy 7.2 7.2.0 through 7.2.9 Upgrade to 7.2.10 or above FortiProxy 7.0 7.0.0 through 7.0.16 Upgrade to 7.0.17 or above Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool Fortinet in Q3/24 has remediated this issue in FortiSASE version 24.2.c and hence the customers need not perform any action. Workaround: Disable SSL-VPN. Acknowledgement Fortinet is pleased to thank Livio Victoriano, Michal Majchrowicz and Marcin Wyczechowski from AFINE Team for reporting this vulnerability under responsible disclosure. Timeline 2024-11-12: Initial publication _____________________________________________________________________ FortiOS - Improper authentication in fgfmd Summary An improper authentication vulnerability [CWE-287] in FortiManager, FortiOS, FortiPAM, FortiPortal, FortiProxy and FortiSwitchManager fgfmd daemon may allow an unauthenticated attacker to inject (but not receive) packets in tunnels established between a FortiManager and the targeted device. Version Affected Solution FortiManager 7.4 7.4.0 through 7.4.2 Upgrade to 7.4.3 or above FortiManager 7.2 7.2.0 through 7.2.4 Upgrade to 7.2.5 or above FortiManager 7.0 7.0.0 through 7.0.11 Upgrade to 7.0.12 or above FortiManager 6.4 6.4.0 through 6.4.14 Upgrade to 6.4.15 or above FortiOS 7.6 Not affected Not Applicable FortiOS 7.4 7.4.0 through 7.4.3 Upgrade to 7.4.4 or above FortiOS 7.2 7.2.0 through 7.2.7 Upgrade to 7.2.8 or above FortiOS 7.0 7.0.0 through 7.0.14 Upgrade to 7.0.15 or above FortiOS 6.4 6.4 all versions Migrate to a fixed release FortiOS 6.2 6.2 all versions Migrate to a fixed release FortiOS 6.0 6.0 all versions Migrate to a fixed release FortiPAM 1.3 Not affected Not Applicable FortiPAM 1.2 1.2 all versions Migrate to a fixed release FortiPAM 1.1 1.1 all versions Migrate to a fixed release FortiPAM 1.0 1.0 all versions Migrate to a fixed release FortiPortal 6.0 6.0.0 through 6.0.14 Upgrade to 6.0.15 or above FortiPortal 5.3 5.3 all versions Migrate to a fixed release FortiProxy 7.4 7.4.0 through 7.4.2 Upgrade to 7.4.4 or above FortiProxy 7.2 7.2.0 through 7.2.9 Upgrade to 7.2.10 or above FortiProxy 7.0 7.0 all versions Migrate to a fixed release FortiProxy 2.0 2.0 all versions Migrate to a fixed release FortiProxy 1.2 1.2 all versions Migrate to a fixed release FortiProxy 1.1 1.1 all versions Migrate to a fixed release FortiProxy 1.0 1.0 all versions Migrate to a fixed release FortiSwitchManager 7.2 7.2.0 through 7.2.3 Upgrade to 7.2.4 or above FortiSwitchManager 7.0 7.0.0 through 7.0.3 Upgrade to 7.0.4 or above Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool Acknowledgement Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team. Timeline 2024-11-12: Initial publication ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================