FortiOS - Local Admin Hash Disclosure
CVE-2016-7542
Description
FortiOS is the operating system that powers Fortinet’s next generation firewalls. The operating system provides administrative features for the firewall through an admin portal available through an HTTPS connection. It was discovered that the admin web portal disclosed all password hashes for local admin accounts through web requests made when visiting the ‘Administrators’ tab within the admin portal.
MWR only tested the Fortigate v5.2.7, build718 (GA) Fortigate 1500D admin portal. It was reported by Fortinet that this vulnerability effected multiple versions of FortiOS.
Impact
An authenticated attacker could obtain the admin hashes for all of the local admin accounts for the FortiOS device. An attacker with read-only access to the administrative portal could use this vulnerability to elevate their permission level to that of a read-write user by cracking the obtained hashes.
Cause
An error in the logic handling the request and response for the Administrators tab of the FortiOS admin portal returned password hashes instead of the default value returned by other requests involving admin accounts.
Interim Workaround
At the time of testing, local accounts appeared to be the only type of accounts effected. As a workaround, an external authentication mechanism such as using a RADIUS server for authentication is advised.
Solution
The vendor has provided the following patch information:
- Upgrade to FortiOS 5.4.2 GA
- Upgrade to FortiOS 5.2.10 GA
Technical Details
Please refer to the attached advisory above.
Further Information
Fortinet Advisory: http://fortiguard.com/advisory/FG-IR-16-050