Hot!Fortigate vulnerability

Page: 12 > Showing page 1 of 2
Author
Salas
Bronze Member
  • Total Posts : 33
  • Scores: 0
  • Reward points: 0
  • Joined: 2005/02/21 01:21:06
  • Status: offline
2017/10/11 09:43:04 (permalink) 5.2
0

Fortigate vulnerability

I run pci dss security scan, and my fortigate 600c, with 5.2.11 fimware, and found vulnerability:
HTTP Security Header Not Detected HTTP Security Header Not Detected
RESULT:
X-XSS-Protection HTTP Header missing on port 443. GET / HTTP/1.0
THREAT: This QID reports the absence of the following HTTP headers according to CWE-693: Protection Mechanism Failure: X-Frame-Options: This HTTP response header improves the protection of web applications against clickjacking attacks. Clickjacking, also known as a "UI redress attack", allows an attacker to use multiple transparent or opaque layers to trick a targeted user into clicking on a button or link on another page when they were intending to click on the the top level page. X-XSS-Protection: This HTTP header enables the browser built-in Cross-Site Scripting (XSS) filter to prevent cross-site scripting attacks. X-XSSProtection: 0; disables this functionality. X-Content-Type-Options: This HTTP header prevents attacks based on MIME-type mismatch. The only possible value is nosniff. If your server returns X-Content-Type-Options: nosniff in the response, the browser will refuse to load the styles and scripts in case they have an incorrect MIMEtype. Content-Security-Policy: This HTTP header helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS), packet sniffing attacks and data injection attacks. Public-Key-Pins: The Public Key Pinning Extension for HTTP (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. Strict-Transport-Security: The HTTP Strict-Transport-Security response header (HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP.
 
How to fix it ?
 
 
#1

26 Replies Related Threads

    MikePruett
    Platinum Member
    • Total Posts : 677
    • Scores: 17
    • Reward points: 0
    • Joined: 2014/01/08 19:39:40
    • Location: Montgomery, Al
    • Status: offline
    Re: Fortigate vulnerability 2017/10/13 06:48:44 (permalink)
    0
    Do you have HTTP and HTTPS enabled on the outside interface of the Gate? What does the scan say when you turn that off?

    Mike Pruett
    Fortinet GURU
    #2
    zorro
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/16 17:59:01
    • Status: offline
    Re: Fortigate vulnerability 2017/10/14 12:06:15 (permalink)
    0
    Hi
     
    I cannot read from your post what was scanned by your scanner? Was it firewall's management GUI (on HTTP/HTTPS) or some web service that is behind the firewall?
     
    Z.
    #3
    emnoc
    Expert Member
    • Total Posts : 5209
    • Scores: 339
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Fortigate vulnerability 2017/10/14 23:57:10 (permalink)
    0
    Yes,  curious mines want to know. FWIW none of the  webGUI logins for    mgmt or sslvpn  have a X-XSS-Protection header when using  curl and monitoring the server response. These are on a  fortiOS 5.2.11 btw
     
    Please use curl and dump the http.header here.
     
     
    e.g
     
    < HTTP/1.1 200 OK
    < Date: Sun, 15 Oct 2017 06:56:00 GMT
    < Vary: Accept-Encoding
    < Last-Modified: Fri, 21 Apr 2017 22:33:57 GMT
    < ETag: "af9_4f_58fa88d5"
    < Accept-Ranges: bytes
    < Content-Length: 79
    < Content-Type: text/html; charset=utf-8
    < X-Frame-Options: SAMEORIGIN
    < X-UA-Compatible: IE=Edge
     
    5.6.x shows
     
     
    < HTTP/1.1 200 OK
    < Date: Sun, 15 Oct 2017 06:59:21 GMT
    < Server: xxxxxxxx-xxxxx      <- I like the masked server header ;)
    < Vary: Accept-Encoding
    < Content-Length: 79
    < Content-Type: text/html; charset=utf-8
    < X-Frame-Options: SAMEORIGIN
    < Content-Security-Policy: frame-ancestors 'self'
    < X-UA-Compatible: IE=Edge
    <
    <html>
    <script language=javascript>

    top.location="/login";

    </script>
    </html>


     
     
    Ken
     
    post edited by emnoc - 2017/10/15 00:01:25

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #4
    Salas
    Bronze Member
    • Total Posts : 33
    • Scores: 0
    • Reward points: 0
    • Joined: 2005/02/21 01:21:06
    • Status: offline
    Re: Fortigate vulnerability 2017/10/15 22:02:56 (permalink)
    0
    MikePruett
    Do you have HTTP and HTTPS enabled on the outside interface of the Gate? What does the scan say when you turn that off?




    No, only SSL VPN is listening on this port.
    #5
    Salas
    Bronze Member
    • Total Posts : 33
    • Scores: 0
    • Reward points: 0
    • Joined: 2005/02/21 01:21:06
    • Status: offline
    Re: Fortigate vulnerability 2017/10/15 22:13:13 (permalink)
    0
     
    It's fortigate SSL VPN.
    The full report about this issue:
     
    QID:11827Severity:2   CVSS Base:4.3    AV:N/AC:M/Au:N/C:N/I:P/A:NCVSS Temporal:3.5    E:U/RL:U/RC:URPCI Compliance Status:FAIL     
  • The QID adheres to the PCI requirements based on the CVSS basescore.Category:CGIPort/Service:443 / CGI (tcp)False Positive:N/A 
    Bugtraq ID:-CVE ID:-Vendor Reference:-Last Update:10/04/2017 at 03:00:00 
    Threat:This QID reports the absence of the following HTTP headers according to CWE-693: Protection Mechanism Failure:
    X-Frame-Options: This HTTP response header improves the protection of web applications against clickjacking attacks. Clickjacking, also known as a "UI redress attack", allows an attacker to use multiple transparent or opaque layers to trick a targeted user into clicking on a button or link on another page when they were intending to click on the the top level page.
    X-XSS-Protection: This HTTP header enables the browser built-in Cross-Site Scripting (XSS) filter to prevent cross-site scripting attacks. X-XSS-Protection: 0; disables this functionality.
    X-Content-Type-Options: This HTTP header prevents attacks based on MIME-type mismatch. The only possible value is nosniff. If your server returns X-Content-Type-Options: nosniff in the response, the browser will refuse to load the styles and scripts in case they have an incorrect MIME-type.
    Content-Security-Policy: This HTTP header helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS), packet sniffing attacks and data injection attacks.
    Public-Key-Pins: The Public Key Pinning Extension for HTTP (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates.
    Strict-Transport-Security: The HTTP Strict-Transport-Security response header (HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP.
    QID Detection Logic:
    This unauthenticated QID looks for the presence of the following HTTP responses:
    Valid directives for X-Frame-Options are:
    X-Frame-Options: DENY - The page cannot be displayed in a frame, regardless of the site attempting to do so.
    X-Frame-Options: SAMEORIGIN - The page can only be displayed in a frame on the same origin as the page itself.
    X-Frame-Options: ALLOW-FROM RESOURCE-URL - The page can only be displayed in a frame on the specified origin.
    Content-Security-Policy: frame-ancestors - This directive specifies valid parents that may embed a page using frame, iframe, object, embed, or appletValid directives for X-XSS-Protections are:
    X-XSS-Protection: 1 - Enables XSS filtering (usually default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).
    X-XSS-Protection: 1; mode=block - Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected.
    X-XSS-Protection: 1; report=URI - Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation. This uses the functionality of the CSP report-uri directive to send a report.
    X-XSS-Protection: 0 disables this directive and hence is also treated as not detected.
    A valid directive for X-Content-Type-Options: nosniff
    A valid directive for Content-Security-Policy: <policy-directive>; <policy-directive>
    A valid HPKP directive Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubDomains][; report-uri="reportURI"]
    A valid HSTS directive Strict-Transport-Security: max-age=<expire-time>; [; includeSubDomains][; preload]
    NOTE: All report-only directives (where applicable) are considered invalid.

    Impact:Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.

    Solution:CWE-693: Protection Mechanism Failure mentions the following - The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. A "missing" protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An "insufficient" protection mechanism might provide some defenses - for example, against the most common attacks - but it does not protect against everything that is intended. Finally, an "ignored" mechanism occurs when a mechanism is available and in active use within the product, but the developer has not applied it in some code path.
    Customers are advised to set proper X-Frame-Options, X-XSS-Protection, Content Security Policy, X-Content-Type-Options, Public Key Pinning and Strict-Transport-Security HTTP response headers.
    Depending on their server software, customers can set directives in their site configuration or Web.config files. Few examples are:
    X-Frame-Options:
    Apache: Header always append X-Frame-Options SAMEORIGIN
    nginx: add_header X-Frame-Options SAMEORIGIN;
    HAProxy: rspadd X-Frame-Options:\ SAMEORIGIN
    IIS: <HTTPPROTOCOL><CUSTOMHEADERS><ADD NAME="X-Frame-Options" VALUE="SAMEORIGIN"></ADD></CUSTOMHEADERS></HTTPPROTOCOL>
    X-XSS-Protection:
    Apache: Header always set X-XSS-Protection "1; mode=block"
    PHP: header("X-XSS-Protection: 1; mode=block");
    X-Content-Type-Options:
    Apache: Header always set X-Content-Type-Options: nosniff
    Content-Security-Policy: (Please note that these values may differ from website to website. The values below are for informational purposes only. The scanner simply looks for the presence of the security header.)
    Apache: Header set Content-Security-Policy "script-src 'self'; object-src 'self'"
    IIS: <SYSTEM.WEBSERVER><HTTPPROTOCOL><CUSTOMHEADERS><ADD NAME="Content-Security-Policy" VALUE="default-src 'self';"></ADD></CUSTOMHEADERS></HTTPPROTOCOL></SYSTEM.WEBSERVER>
    nginx: add_header Content-Security-Policy "default-src 'self'; script-src 'self';
    HTTP Public Key Pinning (HPKP):
    Apache: Header always set Public-Key-Pins "pin-sha256="base64+primary=="; pin-sha256="base64+backup=="; max-age=5184000; includeSubDomains"
    Lighttpd: setenv.add-response-header = ( "Public-Key-Pins" => "pin-sha256="base64+primary=="; pin-sha256="base64+backup=="; max-age=5184000; includeSubDomains")
    HTTP Strict-Transport-Security:
    Apache: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    Nginx: add_header Strict-Transport-Security max-age=31536000;

    Result:
    X-XSS-Protection HTTP Header missing on port 443.
    GET / HTTP/1.0
    Host: x.x.x.x



    X-Content-Type-Options HTTP Header missing on port 443.
    Content-Security-Policy HTTP Header missing on port 443.
    Public-Key-Pins HTTP Header missing on port 443.
    Strict-Transport-Security HTTP Header missing on port 443.

     
     
  • #6
    emnoc
    Expert Member
    • Total Posts : 5209
    • Scores: 339
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Fortigate vulnerability 2017/10/16 05:59:02 (permalink)
    0
    I would not worried about it.
     
    It's a X- header to begin with,  and you have no  means to inject or remove headers from a SSLVPN portal-access interface or even the  WebGUI as far as  that goes
     
    2nd if the  site is true SSLVPN tunnel, who cares about the header to begin with since this traffic is NOT HTTP ( those reports reflect HTTP headers btw )
     
     
    Ken

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #7
    Salas
    Bronze Member
    • Total Posts : 33
    • Scores: 0
    • Reward points: 0
    • Joined: 2005/02/21 01:21:06
    • Status: offline
    Re: Fortigate vulnerability 2017/10/16 06:32:05 (permalink)
    0
    We are not usig VPN portal, we only using ssl-vpn clients,  is it possible to turn it off ?
    The problem is that scan is reporting that we are not compliant, and I must give them some arguments, to make it false positive finding.
     
    #8
    Mike
    Bronze Member
    • Total Posts : 24
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/08/03 02:22:40
    • Status: offline
    Re: Fortigate vulnerability 2017/10/16 09:07:20 (permalink)
    0
    Hi Salas,
     
    I'm thinking of a few options you could try:
     - First option:
    config vpn ssl web portal
    edit "my ssl portal"
    set skip-check-for-unsupported-browser disable" -> it's usually to deny access for browsers that can't launch an activeX or Java Applet... Worth a try, but you probably won't earn a lot of security points here. You might need to enable some host-checking though (which would still be good for your clients!). 
    end
    - second option : 
    migrate your tunnel portal from a public interface to a loopback - you'll need a FW rule with a VIP to forward traffic from Wan to your loopback - then activate IPS on the very rule. Another good protection here :) however adding an HSTS header isn't a NGFW possibility...
    - third option (fortinet sales Approved! ) : use a FortiWeb :-)
    This third one is a little bit for trolling, but if your company is concerned about PCI DSS compliancy, they might consider the option, especially if you run other web services. And it will be the most 'by the book' way of improving your score (Even though I suppose that you're posting this thread precisely to avoid this option)
     
    Let us know what you'll do, even if it's nothing! 
     
    BR,
     
    Michael
     
     
     
     
    #9
    emnoc
    Expert Member
    • Total Posts : 5209
    • Scores: 339
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Fortigate vulnerability 2017/10/16 09:47:48 (permalink)
    0
    last option if it's SSLVPN only, disable the web portal.
     
     
    Under the portal   "set web mode disable"
     
    Ken
     
     
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #10
    Mike
    Bronze Member
    • Total Posts : 24
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/08/03 02:22:40
    • Status: offline
    Re: Fortigate vulnerability 2017/10/16 11:38:07 (permalink)
    0
    I hate to disagree, emnoc, but "set web mode disable" doesn't deactivate the access the https portal... which is the issue here.
    Basically, it just removes the widgets related to web mode. You'll still be able to connect to SSLVPN portal. It allows users to download FortiClient.
     
    Nice set of certs, btw! :)
    #11
    emnoc
    Expert Member
    • Total Posts : 5209
    • Scores: 339
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Fortigate vulnerability 2017/10/16 13:46:34 (permalink)
    0
    I'll be darn, I tried this on 5.2.11 and 5.4.3 and your right it  still displays the SSLvpn portal

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #12
    Mike
    Bronze Member
    • Total Posts : 24
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/08/03 02:22:40
    • Status: offline
    Re: Fortigate vulnerability 2017/10/16 15:22:10 (permalink)
    0
    Regarding the original request : Salas : if you can justify that it's a false positive, maybe you can explain that the traffic concerned by this opened traffic is not web traffic encapsulated in ssl : it's a ppp connection through ssl. Well, at least that's how you use it for.
     
    I can think of another option : client authentication through ssl certificates. That way your scan won't even reach the HTTP header.
     
    Once again : let us know! :)
    #13
    Salas
    Bronze Member
    • Total Posts : 33
    • Scores: 0
    • Reward points: 0
    • Joined: 2005/02/21 01:21:06
    • Status: offline
    Re: Fortigate vulnerability 2017/10/16 23:21:50 (permalink)
    0
    Thanks all, for help, i will try to give them this explanation. 
    By the way we are using certificates, for SSL VPN,  but still the scan detects this issue.
     
    #14
    oheigl
    Gold Member
    • Total Posts : 259
    • Scores: 10
    • Reward points: 0
    • Joined: 2010/02/18 04:27:05
    • Location: Austria
    • Status: offline
    Re: Fortigate vulnerability 2017/10/17 00:34:06 (permalink)
    0
    Isn't the SSL Client just a wrapper for HTTPS requests to server? If you compare the sslvpn debug of a ssl web gui login and a client login it seems nearly the same?
    #15
    Mike
    Bronze Member
    • Total Posts : 24
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/08/03 02:22:40
    • Status: offline
    Re: Fortigate vulnerability 2017/10/17 04:37:40 (permalink)
    0
    Salas
    By the way we are using certificates, for SSL VPN,  but still the scan detects this issue.
     

    Wow. Now I gotta run a packet sniffer and check the behavior! I always thought that if you don't present the proper certificate, the connexion would fail before talking http... :)
     
    Or do you provide a web certificate for the test?
    #16
    emnoc
    Expert Member
    • Total Posts : 5209
    • Scores: 339
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Fortigate vulnerability 2017/10/17 11:25:18 (permalink)
    0

     
    By the way we are using certificates, for SSL VPN
     

     
     
    BTW that X-header  comes after the SSL negotiation with the client/server hello. Just figure I would point that out.
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #17
    Salas
    Bronze Member
    • Total Posts : 33
    • Scores: 0
    • Reward points: 0
    • Joined: 2005/02/21 01:21:06
    • Status: offline
    Re: Fortigate vulnerability 2017/10/17 22:31:17 (permalink)
    0
    Qualys accepted my explanation, thanks all for help. But i hope fortigate will do something with this issue in next firmare realeses, i also opened ticket in support.
    #18
    Salas
    Bronze Member
    • Total Posts : 33
    • Scores: 0
    • Reward points: 0
    • Joined: 2005/02/21 01:21:06
    • Status: offline
    Re: Fortigate vulnerability 2017/10/27 04:34:43 (permalink)
    0
    The answer from fortigate support:
     
    "Fix is coming in the next 5.4.7 and 5.6.3"
     
    But there will be no fix for 5.2.x firmwares. So i'll have to upgrade my firealls.
     
     
    #19
    JerryPWhite_FTNT
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/12/08 16:16:44
    • Status: offline
    Re: Fortigate vulnerability 2018/05/22 14:35:28 (permalink)
    0
    I'm on 5.4.8 and still have same error btw.
    #20
    Page: 12 > Showing page 1 of 2
    Jump to:
    © 2019 APG vNext Commercial Version 5.5