Overview
Asynchronous tasks that use taskid
in the FortiManager are vulnerable to IDOR vulnerability. A user affected to an ADOM is able to retrieve taskid
's results related to other ADOMs.
Any user is able to brute force the taskid
numerical value and then to consult results of a specific taskid
, event if it concerns another ADOM. This results in a leak of information related to other ADOMs.
Details
Some actions on the FortiManager - Policy & Objects menu generates asynchronously performed task creation requests, each task is assigned with a numeric taskid
value provided by the server after the first requests. taskid
are weak numerical and incremental value (ex: 8620) and can be stored several month on the FortiManager without expiring. The vulnerability occurs because the weak randomness of taskid
and a lack of permission control during taskid
result requests. Any user can ask for result of taskid
that are not related to his ADOM.
Proof of Concept
- Location of the vulnerable functionality on FortiManager (as a read-write or read-only user affected to a single ADOM) :
Policiy & Objects > Tools > Find Unused Policies
- A first request with the content of the task is executed, the server responds with a
taskid
.
- Few seconds later, the client executes a second request with this
taskid
in order to retrieve the result of the task executed by the server, if the execution is terminated.
- The
taskid
identifier appears to be incremental and subject to a permission control flaw. Any authenticated user can then retrieve the results of tasks executed by other users.
- Result is a bruteforce of the
taskid
parameter from a user affected to single ADOM while multiple ADOM exists on the targeted FortiManager. It appears that the results of tasks executed by the FortiManager are stored for several months. For example, with an attack execution on 09/05/2023, the oldest task could be found is from 14/09/2022. Moreover for existing taskID, even if not related to the curent user's ADOM, full result are returned to the user by the FortiManager. Among the information found that are normally not accessible to the user :
- Names of equipment belonging to other ADOMs
- The names of other ADOMs, which may contain customer information (names) in a real multi-tenant context
- Usernames
Solution
Security patch
Upgrade to fixed version, as described in Fortinet Security Advisory
References
https://nvd.nist.gov/vuln/detail/CVE-2023-44249
https://www.fortiguard.com/psirt/FG-IR-23-201
Credits
Mickael Dorigny at Orange Cyberdéfense
For Hélène Saliou, Frédéric Prevost, François-Xavier Picard at Orange group
Orange CERT-CC at Orange group
Timeline
Date reported: May 31, 2023
Date fixed: October 10, 2023
Overview
Asynchronous tasks that use
taskid
in the FortiManager are vulnerable to IDOR vulnerability. A user affected to an ADOM is able to retrievetaskid
's results related to other ADOMs.Any user is able to brute force the
taskid
numerical value and then to consult results of a specifictaskid
, event if it concerns another ADOM. This results in a leak of information related to other ADOMs.Details
Some actions on the FortiManager - Policy & Objects menu generates asynchronously performed task creation requests, each task is assigned with a numeric
taskid
value provided by the server after the first requests.taskid
are weak numerical and incremental value (ex: 8620) and can be stored several month on the FortiManager without expiring. The vulnerability occurs because the weak randomness oftaskid
and a lack of permission control duringtaskid
result requests. Any user can ask for result oftaskid
that are not related to his ADOM.Proof of Concept
taskid
.taskid
in order to retrieve the result of the task executed by the server, if the execution is terminated.taskid
identifier appears to be incremental and subject to a permission control flaw. Any authenticated user can then retrieve the results of tasks executed by other users.taskid
parameter from a user affected to single ADOM while multiple ADOM exists on the targeted FortiManager. It appears that the results of tasks executed by the FortiManager are stored for several months. For example, with an attack execution on 09/05/2023, the oldest task could be found is from 14/09/2022. Moreover for existing taskID, even if not related to the curent user's ADOM, full result are returned to the user by the FortiManager. Among the information found that are normally not accessible to the user :Solution
Security patch
Upgrade to fixed version, as described in Fortinet Security Advisory
References
https://nvd.nist.gov/vuln/detail/CVE-2023-44249
https://www.fortiguard.com/psirt/FG-IR-23-201
Credits
Mickael Dorigny at Orange Cyberdéfense
For Hélène Saliou, Frédéric Prevost, François-Xavier Picard at Orange group
Orange CERT-CC at Orange group
Timeline
Date reported: May 31, 2023
Date fixed: October 10, 2023