Overview
On FortiManager, a low privileged user affected to an ADOM is able to display the configuration of any registered Fortigate regardless of the ADOM it is assigned to. This occurs due to a lack of server-side control on the JSConsole usage for low privileged user that normally doesn't have access to it, and due to a lack of permission control for some sensitive JSconsole commands.
Details
Low privileged user can gain access to configuration information (including encrypted password and certificate) concerning all registered Fortigate, independently of ADOM segmentation.
On FortiManager, low privileged users are normally not able to access the JSConsole and to perform commands that can be executed by a high privileged user. By manipulating server response before it reaches the browser or JavaScript on client-side, any user is able to make the JSConsole appears. Moreover, some sensitive command are not correctly restricted for low privileged users and this allows a low privileged user to enumerate and read the configuration of any registered FortiGate, regardless of the ADOM it is assigned to.
Proof of Concept
The user from which actions are performed is called "read-only user" and has the following permissions:
Please note that Terminal Access permission is set to None.
This user is affected to ADOM-AUDIT-CUSTOMER1 on which only one FortiGate with the name OGSB-FGT-B1-Z1 is registered. Other ADOM and other FortiGate exists on the targeted FortiManager.
- Make the JSConsole appears for any low privileged user
Several method can be used to make the JSConsole/CLI Console icon or window appears even for a low privileged user (for example a read-only user).
First method is to press t c while being on the web FortiManager GUI, which is a shortcut that triggers JavaScript code making the CLI Console window appears.
The screenshot above shows the execution of this first method. The CLI Console appears for a read-only user that doesn't have the JSConsole button on its GUI.
Second method is to call the correct JavaScript function that triggers the CLI Console apparition.
Third method is to manipulate the server responses before it reaches the browser and client-side JavaScript code (using a local proxy like BurpSuite/OWASP ZAP) in order to convert the correct parameter from 0 (low privileged user) to 2 (admin). This modification will make the client-side JavaScript to trigger the JSConsole icon apparition code. This method concerns the server response to the following requests:
POST /cgi-bin/module/flatui_proxy to "url":"/gui/session/adom",
GET /cgi-bin/module/flatui_proxy?req=%7B%22url%22:%22%2Fgui%2Fsys%2Fconfig%22,%22method%22:%22get%22%7D
- Access all Fortigate configuration
Once the JSConsole is popped, a low privileged user is not allowed to perform all existing commands. For example a simple show config is disallowed and the following messages appears:
No permission to `command`
Other commands are not properly controlled and can be executed by low privileged users. This notably include the ssh command, which allow a user to initiate SSH connections to the FortiManager itself and to any network reachable SSH service in the FortiManager neighborhood.
Additionally, execute dmserver showdev is allowed and allows a user to list registered FortiManager device name and serial number.
The screenshot above shows the execution of this command for a read-only user that normally doesn't have access to the JSConsole, neither to the listed devices.
Finally, execute dmserver showconfig <device name> is allowed and gives the user the possibility to access to the entire configuration of all registered FortiGate, regardless of its ADOM or permission.
The screenshot above shows the execution of this command for a read-only user that normally doesn't have access to the JSConsole, neither to the requested device.
Solution
Security patch
Upgrade to fixed version, as described in Fortinet Security Advisory
References
https://nvd.nist.gov/vuln/detail/CVE-2023-42787
https://www.fortiguard.com/psirt/FG-IR-23-187
Credits
Mickael Dorigny at Orange Cyberdéfense
For Hélène Saliou, Frédéric Prevost, François-Xavier Picard at Orange group
Orange CERT-CC at Orange group
Timeline
Date reported: May 31, 2023
Date fixed: October 10, 2023
Overview
On FortiManager, a low privileged user affected to an ADOM is able to display the configuration of any registered Fortigate regardless of the ADOM it is assigned to. This occurs due to a lack of server-side control on the JSConsole usage for low privileged user that normally doesn't have access to it, and due to a lack of permission control for some sensitive JSconsole commands.
Details
Low privileged user can gain access to configuration information (including encrypted password and certificate) concerning all registered Fortigate, independently of ADOM segmentation.
On FortiManager, low privileged users are normally not able to access the JSConsole and to perform commands that can be executed by a high privileged user. By manipulating server response before it reaches the browser or JavaScript on client-side, any user is able to make the JSConsole appears. Moreover, some sensitive command are not correctly restricted for low privileged users and this allows a low privileged user to enumerate and read the configuration of any registered FortiGate, regardless of the ADOM it is assigned to.
Proof of Concept
The user from which actions are performed is called "read-only user" and has the following permissions:
Please note that
Terminal Accesspermission is set toNone.This user is affected to
ADOM-AUDIT-CUSTOMER1on which only one FortiGate with the nameOGSB-FGT-B1-Z1is registered. Other ADOM and other FortiGate exists on the targeted FortiManager.Several method can be used to make the JSConsole/CLI Console icon or window appears even for a low privileged user (for example a read-only user).
First method is to press
t cwhile being on the web FortiManager GUI, which is a shortcut that triggers JavaScript code making the CLI Console window appears.The screenshot above shows the execution of this first method. The CLI Console appears for a read-only user that doesn't have the JSConsole button on its GUI.
Second method is to call the correct JavaScript function that triggers the CLI Console apparition.
Third method is to manipulate the server responses before it reaches the browser and client-side JavaScript code (using a local proxy like BurpSuite/OWASP ZAP) in order to convert the correct parameter from 0 (low privileged user) to 2 (admin). This modification will make the client-side JavaScript to trigger the JSConsole icon apparition code. This method concerns the server response to the following requests:
Once the JSConsole is popped, a low privileged user is not allowed to perform all existing commands. For example a simple
show configis disallowed and the following messages appears:Other commands are not properly controlled and can be executed by low privileged users. This notably include the
sshcommand, which allow a user to initiate SSH connections to the FortiManager itself and to any network reachable SSH service in the FortiManager neighborhood.Additionally,
execute dmserver showdevis allowed and allows a user to list registered FortiManager device name and serial number.The screenshot above shows the execution of this command for a read-only user that normally doesn't have access to the JSConsole, neither to the listed devices.
Finally,
execute dmserver showconfig <device name>is allowed and gives the user the possibility to access to the entire configuration of all registered FortiGate, regardless of its ADOM or permission.The screenshot above shows the execution of this command for a read-only user that normally doesn't have access to the JSConsole, neither to the requested device.
Solution
Security patch
Upgrade to fixed version, as described in Fortinet Security Advisory
References
https://nvd.nist.gov/vuln/detail/CVE-2023-42787
https://www.fortiguard.com/psirt/FG-IR-23-187
Credits
Mickael Dorigny at Orange Cyberdéfense
For Hélène Saliou, Frédéric Prevost, François-Xavier Picard at Orange group
Orange CERT-CC at Orange group
Timeline
Date reported: May 31, 2023
Date fixed: October 10, 2023