FortiOS - Local Admin Hash Disclosure

Description

FortiOS is the operating system that powers Fortinet’s next generation firewalls. The operating system provides administrative features for the firewall through an admin portal available through an HTTPS connection. It was discovered that the admin web portal disclosed all password hashes for local admin accounts through web requests made when visiting the ‘Administrators’ tab within the admin portal.

MWR only tested the Fortigate v5.2.7, build718 (GA) Fortigate 1500D admin portal. It was reported by Fortinet that this vulnerability effected multiple versions of FortiOS.

Impact

An authenticated attacker could obtain the admin hashes for all of the local admin accounts for the FortiOS device. An attacker with read-only access to the administrative portal could use this vulnerability to elevate their permission level to that of a read-write user by cracking the obtained hashes.

Cause

An error in the logic handling the request and response for the Administrators tab of the FortiOS admin portal returned password hashes instead of the default value returned by other requests involving admin accounts.

Interim Workaround

At the time of testing, local accounts appeared to be the only type of accounts effected. As a workaround, an external authentication mechanism such as using a RADIUS server for authentication is advised.

Solution

The vendor has provided the following patch information:

Upgrade to FortiOS 5.4.2 GA
Upgrade to FortiOS 5.2.10 GA

Technical Details

Please refer to the attached advisory above.

Further Information

Fortinet Advisory: http://fortiguard.com/advisory/FG-IR-16-050

26/08/2016	Contacted Vendor
15/09/2016	Response received from vendor
19/09/2016	Advisory sent to vendor
02/12/2016	Contacted vendor for status of patch. Vendor notified MWR that a patch has been released for FortiOS versions 5.2.10 and 5.4.2.