Overview
Asynchronous tasks that use taskid in the FortiManager are vulnerable to IDOR vulnerability. A user affected to an ADOM is able to retrieve taskid's results related to other ADOMs.
Any user is able to brute force the taskid numerical value and then to consult results of a specific taskid, event if it concerns another ADOM. This results in a leak of information related to other ADOMs.
Details
Some actions on the FortiManager - Policy & Objects menu generates asynchronously performed task creation requests, each task is assigned with a numeric taskid value provided by the server after the first requests. taskid are weak numerical and incremental value (ex: 8620) and can be stored several month on the FortiManager without expiring. The vulnerability occurs because the weak randomness of taskid and a lack of permission control during taskid result requests. Any user can ask for result of taskid that are not related to his ADOM.
Proof of Concept
- Location of the vulnerable functionality on FortiManager (as a read-write or read-only user affected to a single ADOM) :
Policiy & Objects > Tools > Find Unused Policies
- A first request with the content of the task is executed, the server responds with a
taskid.
- Few seconds later, the client executes a second request with this
taskid in order to retrieve the result of the task executed by the server, if the execution is terminated.
- The
taskid identifier appears to be incremental and subject to a permission control flaw. Any authenticated user can then retrieve the results of tasks executed by other users.
- Result is a bruteforce of the
taskid parameter from a user affected to single ADOM while multiple ADOM exists on the targeted FortiManager. It appears that the results of tasks executed by the FortiManager are stored for several months. For example, with an attack execution on 09/05/2023, the oldest task could be found is from 14/09/2022. Moreover for existing taskID, even if not related to the curent user's ADOM, full result are returned to the user by the FortiManager. Among the information found that are normally not accessible to the user :
- Names of equipment belonging to other ADOMs
- The names of other ADOMs, which may contain customer information (names) in a real multi-tenant context
- Usernames
Solution
Security patch
Upgrade to fixed version, as described in Fortinet Security Advisory
References
https://nvd.nist.gov/vuln/detail/CVE-2023-44249
https://www.fortiguard.com/psirt/FG-IR-23-201
Credits
Mickael Dorigny at Orange Cyberdéfense
For Hélène Saliou, Frédéric Prevost, François-Xavier Picard at Orange group
Orange CERT-CC at Orange group
Timeline
Date reported: May 31, 2023
Date fixed: October 10, 2023
Overview
Asynchronous tasks that use
taskidin the FortiManager are vulnerable to IDOR vulnerability. A user affected to an ADOM is able to retrievetaskid's results related to other ADOMs.Any user is able to brute force the
taskidnumerical value and then to consult results of a specifictaskid, event if it concerns another ADOM. This results in a leak of information related to other ADOMs.Details
Some actions on the FortiManager - Policy & Objects menu generates asynchronously performed task creation requests, each task is assigned with a numeric
taskidvalue provided by the server after the first requests.taskidare weak numerical and incremental value (ex: 8620) and can be stored several month on the FortiManager without expiring. The vulnerability occurs because the weak randomness oftaskidand a lack of permission control duringtaskidresult requests. Any user can ask for result oftaskidthat are not related to his ADOM.Proof of Concept
taskid.taskidin order to retrieve the result of the task executed by the server, if the execution is terminated.taskididentifier appears to be incremental and subject to a permission control flaw. Any authenticated user can then retrieve the results of tasks executed by other users.taskidparameter from a user affected to single ADOM while multiple ADOM exists on the targeted FortiManager. It appears that the results of tasks executed by the FortiManager are stored for several months. For example, with an attack execution on 09/05/2023, the oldest task could be found is from 14/09/2022. Moreover for existing taskID, even if not related to the curent user's ADOM, full result are returned to the user by the FortiManager. Among the information found that are normally not accessible to the user :Solution
Security patch
Upgrade to fixed version, as described in Fortinet Security Advisory
References
https://nvd.nist.gov/vuln/detail/CVE-2023-44249
https://www.fortiguard.com/psirt/FG-IR-23-201
Credits
Mickael Dorigny at Orange Cyberdéfense
For Hélène Saliou, Frédéric Prevost, François-Xavier Picard at Orange group
Orange CERT-CC at Orange group
Timeline
Date reported: May 31, 2023
Date fixed: October 10, 2023