SNS Vulnerability

Fortinet FortiOS Multiple Cross-Site Scripting Vulnerabilities Fixed by 5.6.1

Description

(#Several cross-site scripting vulnerabilities were reported in Fortinet FortiOS.#An authenticated remote attacker could exploit them by enticing their victim into following a specially crafted link in order to execute arbitrary JavaScript code.##These vulnerabilities are located in:#- CVE-2017-3131: the filter input in "Applications" under "FortiView" ; triggerable via the "onmouseover" parameter of the de la page "ng/fortiview/app/NUMERO_APP" web page##- CVE-2017-3132: the action input during the activation of a FortiToken ; triggerable via the "action" parameter of the "p/user/ftoken/activate/user/guest/" web page##- CVE-2017-3133: in the Replacement Message HTML for SSL-VPN ; triggerable via the "csrfmiddlewaretoken" POST parameter of the "p/system/replacemsg/edit/sslvpn/sslvpn-login" web page.##Proofs of concept are available.)

Vulnerable Products

Vulnerable OS:
FortiOS (Fortinet) - 5.4, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.4.5, 5.6.0

Solution

- CVE-2017-3132: Restrict "User & Device" access to "None" for untrusted Admin Profiles.

CVE

CVE-2017-3133
CVE-2017-3132
CVE-2017-3131

References

- Fortinet : FortiOS XSS vulnerabilities via FortiView Application filter, FortiToken activation & SSL VPN Replacement Messages
http://fortiguard.com/psirt/FG-IR-17-104
- Bugtraq : FortiOS <= 5.6.0 Multiple XSS Vulnerabilities
http://seclists.org/bugtraq/2017/Jul/68

Vulnerability Manager Detection

IPS Protection

ASQ Engine alarm	Available Since
XSS - Prevention - GET : suspicious 'iframe' tag found in URL	3.2.0
XSS - Prevention - GET : suspicious 'meta' tag found in URL	3.2.0
XSS - Prevention - GET : suspicious tag with event found in URL	3.2.0
XSS - Prevention - POST : suspicious 'meta' tag found in data	3.2.0
XSS - Prevention - GET : suspicious 'applet' tag found in URL	3.2.0
XSS - Phishing : suspicious 'div' tag found in URL	3.2.0
XSS - Prevention - GET : suspicious 'style' attribute found in URL	3.2.0
XSS - Prevention - GET : suspicious 'img' tag found in URL	3.2.0
XSS - Prevention - POST : suspicious 'img' attribute found in data	3.2.0
XSS - Phishing : suspicious 'a' tag found in URL	3.2.0
XSS - Prevention - GET : cookie access attempt using script language found in URL	3.2.0
XSS - Prevention - GET : suspicious 'embed' tag found in URL	3.2.0
XSS - Prevention - GET : suspicious 'object' tag found in URL	3.2.0
XSS - Phishing : suspicious 'form' tag found in URL	3.2.0
XSS - Prevention - GET : javascript code found in URL	3.2.0
XSS - Prevention - GET : evasion attempt using tag characters encoding in URL	3.2.0
XSS - Prevention - GET : suspicious 'style' tag found in URL	3.2.0
XSS - Phishing : suspicious 'link' tag found in URL	3.2.0
XSS - Prevention - GET : 'script' tag found in URL	3.2.0
XSS - Prevention - GET : 'location' javascript object found in URL	3.2.0
XSS - Prevention - GET : suspicious 'div' tag found in URL	3.2.0
XSS - Prevention - POST : suspicious 'style' tag found in data	5.0.0
XSS - Prevention - POST : javascript code found in data	5.0.0
XSS - Prevention - POST : suspicious tag with event found in data	5.0.0
XSS - Prevention - POST : suspicious 'embed' tag found in data	5.0.0
XSS - Prevention - POST : 'location' javascript object found in data	5.0.0
XSS - Prevention - POST : code allowing cookie access found in data	5.0.0
XSS - Prevention - POST : 'script' tag found in data	5.0.0
XSS - Prevention - POST : suspicious 'style' attribute found in data	5.0.0
XSS - Prevention - POST : suspicious 'applet' tag found in data	5.0.0
XSS - Prevention - POST : suspicious 'div' tag found in data	5.0.0
XSS - Prevention - POST : suspicious 'img' attribute found in data	5.0.0
XSS - Prevention - POST : suspicious 'meta' tag found in data	5.0.0
XSS - Prevention - POST : suspicious 'object' tag found in data	5.0.0
XSS - Prevention - POST : suspicious 'iframe' tag found in data	5.0.0

Risk level

Low

Vulnerability First Public Report Date

2017-07-28

Target Type

Client

Possible exploit

Remote