Tag Archives: FortiGate Firewall

FortiGate Next Generation Firewall leverages dedicated security processors and threat intelligence security services from FortiGuard.

FortiOS CVE-2018-13379 Advisory FG-IR-18-384

Home
Leave a comment

Allegedly, many admins did not update their FortiGate VPNs, so that attackers attack systems. The reason is the exploit code for the vulnerability (CVE-2018-13379) from 2019 that has now emerged.

Successful attacks on the SSL-VPN configured FortiOS should be made possible by sending prepared HTTP requests. Attackers could access system files and thus gain access to unencrypted access data, for example. They could then log into vulnerable VPN firewalls and compromise them.

FortiOS, which is used on FortiGate firewalls, has a total of six security holes in several versions of the Security Network operating system that affect the SSL-VPN web portal. Fortinet has published the FortiGuard Security Advisories with update notes.

FortiGuard PSIRT Advisory

Der original Textauszug:

FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests

Summary

A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.
Impact

Information Disclosure
Affected Products
FortiOS 6.0 – 6.0.0 to 6.0.4
FortiOS 5.6 – 5.6.3 to 5.6.7
FortiOS 5.4 – 5.4.6 to 5.4.12
(other branches and versions than above are not impacted)
ONLY if the SSL VPN service (web-mode or tunnel-mode) is enabled.
Solutions

Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above.

Workarounds:

As a temporary solution, the only workaround is to totally disable the SSL-VPN service (both web-mode and tunnel-mode) by applying the following CLI commands:

config vpn ssl settings
unset source-interface
end

Note that firewall policies tied to SSL VPN will need to be unset first for the above sequence to execute successfully.

As an example, when source-interface is “port1” and SSL VPN interface is “ssl.root”, the following CLI commands would be needed to ensure “unset source-interface” executes successfully:

config vpn ssl settings
config authentication-rule
purge (purge all authentication-rules)
end
end

config firewall policy
delete [policy-id] (SSL VPN policy ID(s) that srcintf is “ssl.root” and dstintf is “port1”)
end

Note that code to exploit this vulnerability in order to obtain the credentials of logged in SSL VPN users was disclosed. In absence of upgrading to the versions listed above, mitigating the impact of this exploit can be done by enabling two-factor authentication for SSL VPN users. An attacker would then not be able to use stolen credentials to impersonate SSL VPN users.

Nameserver resolvconf Ubuntu

Home
Leave a comment

Ubuntu uses the nameserver resolvconf program to configure local DNS resolution. The resolvconf package includes a simple database and a runtime for dynamically modifying nameserver information.

Nameserver resolvconf Ubuntu

Ubuntu nameserver resolvconf NetworkManager

Typically, the program resolvconf runs through a network interface to push routines such as ifup, ifdown, NetworkManager, dhclient, and pppd, or local nameservers such as dnsmasq to update the DNS information.

If static IP addresses and DNS records are used on a host, the resolvconf package should be deactivated under Ubuntu, so that the DNS configuration from the dnsmasq daemon is not automatically made, the configuration that has been edited in /etc/resolv.conf and /etc/network/interfaces will otherwise be overwritten by the resolvconf program.

Disable nameserver resolvconf

$ resolvconf --disable-updates

Disable Ubuntu resolvconf from boot level and quit the program.

$ systemctl disable systemd-resolved.service
$ service systemd-resolved stop

Customize the Network Manager with default DNS.

$ vi /etc/NetworkManager/NetworkManager.conf
..
dns=default
..

Remove the symlink resolv.conf under /etc.

$ rm /etc/resolv.conf

Edit resolv.conf

and create a new resolv.conf file with the nameservers. in this example, it’s Google Public DNS.

  On a local network or ADS the internal nameservers should be used.

$ vi /etc/resolv.conf

nameserver 8.8.8.8
nameserver 8.8.4.4

Delete the resolv.conf file of the systemd configuration program.

$ rm /etc/systemd/resolved.conf

change the configuration.

$ service network-manager restart

nameservers can also be defined in the interface configuration.

$ vi /etc/network/interfaces

auto lo
iface lo inet loopback

auto ens160
iface ens160 inet static
  address 10.10.0.8
  gateway 10.10.0.1
  netmask 255.255.255.0
  network 10.10.0.0
  broadcast 10.10.0.255
  dns-nameservers 8.8.8.8 8.8.4.4
  dns-search my.local

The interface name (ens160) may differ and must correspond to that of the respective host.

  The /etc/resolv.conf file should not be missing.

Now enable the new network settings it will be read into memory.

$ /etc/init.d/networking restart

Troubleshooting using DNS

Many network issues are due to incorrect DNS or incorrect configuration of resolver. In a home network there is often no internal DNS, whereby the router or the firewall can be used as a nameserver, such as the Linksys or Netgear router. Basically, it should be ensured that the firewall used has a DNS cache, with semi-professional firewalls such as the FortiGate that not every model provide such a cache. For open source-based firewalls most provide a cache through DNS forwarder or dnsmasq.

After open up a command prompt will changes to the nameservers in Windows, the DNS cache should be reset.

C:\> ipconfig /flushdns

For Linux, the DNS cache can be reset out from terminal, with one of the following commands, depending on which service is installed.

$ sudo /etc/init.d/nscd restart
$ service nscd restart
$ service nscd reload
$ sudo /etc/init.d/dnsmasq restart
$ service dnsmasq restart
$ rndc reload

In the Mac OS X terminal as root.

$ lookupd -flushcache

If there is no internal DNS in the local network, the name servers of the Internet provider can be used, or may the Cloudflare public DNS.

1.1.1.1 1.0.0.1

Example of a nameserver querying its provider on Windows.

C:\> nslookup -type=ns green.ch
Server: dns1.agrinet.ch
Address: 81.221.250.11

Non-authoritative response:
green.ch nameserver = dns2.agrinet.ch
green.ch nameserver = dns1.agrinet.ch

dns1.agrinet.ch internet address = 81.221.250.11

Example nameserver lookup query on Linux.

$ host -t ns green.ch
green.ch name server dns1.agrinet.ch.
green.ch name server dns2.agrinet.ch.

host dns1.agrinet.ch & host dns2.agrinet.ch
dns1.agrinet.ch has address 81.221.250.11
dns2.agrinet.ch has address 81.221.252.11
dns2.agrinet.ch has IPv6 address 2a01:2a8:2001:252::11

A ping -n1 resolves addresses to host names with parametersa and4 for IPv4 address.

C:\> ping -4 -n 1 -a www.google.com

Ping runs for www.google.com with [216.58.201.4]32 bytes of data:
Response from 216.58.201.4: Bytes=32 Time=32ms TTL=50

Ping statistics for 216.58.201.4:
    Packages: Sent = 1, Receive = 1, Lost = 0
    (0% loss),
Approx. times in millisec.:
    Minimum = 32ms, Maximum = 32ms, Mean = 32ms

Show the current DNS nameservers available use systemd resolver.

$ systemd-resolve --status