Overview
RW/RO customer profiles attached to an ADOM are able to enumerate other ADOM names through error message.
Details
It can lead to customer name leak since ADOM will likely contain customer name. Moreover, this information can be used in other attacks.
Following authentication, websocket exchange occurs to gather information about user’s ADOM. Websocket requests contains simple ID that can be incremented in order to leak other ADOM in error messages.
Proof of Concept
On FortiAnalyzer from a customer RO or RW profil attached to a single ADOM, the following websocket requests is made :
PoC
The URL parameter contains an incremental and simple ID. If the user request an ID that correspond to an existing ADOM on the FortiAnalyzer, even if its not the ADOM he is attached to, the server respond with and error message containing the ADOM name.
Using this behavior, an attacker can have an full list of existing ADOM.
Solution
Orange recommendation
To fix this vulnerability, we recommends error messages should not contain detailed information about requested item.
Security patch
Upgrade to Fortinet FortiManager 7.2.4
References
https://nvd.nist.gov/vuln/detail/CVE-2023-44253
https://www.fortiguard.com/psirt/FG-IR-23-268
Credits
Mickael Dorigny at Orange Cyberdéfense
Hélène Saliou, Frédéric Prevost, François-Xavier Picard at Orange group
Orange CERT-CC at Orange group
Timeline
Date reported: August 2nd, 2023
Date fixed: February 15, 2024
Overview
RW/RO customer profiles attached to an ADOM are able to enumerate other ADOM names through error message.
Details
It can lead to customer name leak since ADOM will likely contain customer name. Moreover, this information can be used in other attacks.
Following authentication, websocket exchange occurs to gather information about user’s ADOM. Websocket requests contains simple ID that can be incremented in order to leak other ADOM in error messages.
Proof of Concept
On FortiAnalyzer from a customer RO or RW profil attached to a single ADOM, the following websocket requests is made :
PoC
The URL parameter contains an incremental and simple ID. If the user request an ID that correspond to an existing ADOM on the FortiAnalyzer, even if its not the ADOM he is attached to, the server respond with and error message containing the ADOM name.
Using this behavior, an attacker can have an full list of existing ADOM.
Solution
Orange recommendation
To fix this vulnerability, we recommends error messages should not contain detailed information about requested item.
Security patch
Upgrade to Fortinet FortiManager 7.2.4
References
https://nvd.nist.gov/vuln/detail/CVE-2023-44253
https://www.fortiguard.com/psirt/FG-IR-23-268
Credits
Mickael Dorigny at Orange Cyberdéfense
Hélène Saliou, Frédéric Prevost, François-Xavier Picard at Orange group
Orange CERT-CC at Orange group
Timeline
Date reported: August 2nd, 2023
Date fixed: February 15, 2024