FortiOS is the operating system that powers Fortinet’s next generation firewalls. The operating system provides administrative features for the firewall through an admin portal available through an HTTPS connection. It was discovered that the admin web portal disclosed all password hashes for local admin accounts through web requests made when visiting the ‘Administrators’ tab within the admin portal.
MWR only tested the Fortigate v5.2.7, build718 (GA) Fortigate 1500D admin portal. It was reported by Fortinet that this vulnerability effected multiple versions of FortiOS.
An authenticated attacker could obtain the admin hashes for all of the local admin accounts for the FortiOS device. An attacker with read-only access to the administrative portal could use this vulnerability to elevate their permission level to that of a read-write user by cracking the obtained hashes.
An error in the logic handling the request and response for the Administrators tab of the FortiOS admin portal returned password hashes instead of the default value returned by other requests involving admin accounts.
At the time of testing, local accounts appeared to be the only type of accounts effected. As a workaround, an external authentication mechanism such as using a RADIUS server for authentication is advised.
The vendor has provided the following patch information:
Please refer to the attached advisory above.
Fortinet Advisory: http://fortiguard.com/advisory/FG-IR-16-050
|15/09/2016||Response received from vendor|
|19/09/2016||Advisory sent to vendor|
|02/12/2016||Contacted vendor for status of patch. Vendor notified MWR that a patch has been released for FortiOS versions 5.2.10 and 5.4.2.|