Overview
An unprivileged user can read the login and the password of the FortiNAC Configuration Wizard stored in cleartext
in a tomcat configuration file and then gaining access to it.
Impact
This incorrect permission assignment for a critical resource vulnerability may allow an authenticated attacker to access sensitive system data and, as a consequence, raise the authenticated user's privilege to admin.
Details
An unprivileged ssh user can read the login and the password of the FortiNAC Configuration Wizard (https://<FortiNAC IP Address>:8443/configWizard) stored in cleartext in a tomcat configuration file and then gaining access to it.
Once connected, the attacker can change parameters which could lead to a denial of service or change the config password to prevent an administrator to gain back access to this section.
Proof of Concept
In a CLI SSH session with an unprivileged user, just read the /bsc/services/tomcat-admin/conf/tomcat-users.xml file and connect with a browser to the configWizard.
Solution
Security patch
- Upgrade to upcoming FortiNAC version 10.0.0 or above.
- Upgrade to FortiNAC version 9.2.1 or above.
- Upgrade to FortiNAC version 9.1.4 or above.
- Upgrade to FortiNAC version 8.8.10 or above.
Workaround
There are no workarounds that address this vulnerability.
References
https://www.fortiguard.com/psirt/FG-IR-21-178
https://nvd.nist.gov/vuln/detail/CVE-2021-43065
Credits
Orange CERT-CC
Valentin ALLAIRE at Orange group
Timeline
Date reported: September 22, 2021
Date fixed: December 7, 2021
Overview
An unprivileged user can read the login and the password of the FortiNAC Configuration Wizard stored in cleartext
in a tomcat configuration file and then gaining access to it.
Impact
This incorrect permission assignment for a critical resource vulnerability may allow an authenticated attacker to access sensitive system data and, as a consequence, raise the authenticated user's privilege to admin.
Details
An unprivileged ssh user can read the login and the password of the FortiNAC Configuration Wizard (
https://<FortiNAC IP Address>:8443/configWizard) stored in cleartext in a tomcat configuration file and then gaining access to it.Once connected, the attacker can change parameters which could lead to a denial of service or change the config password to prevent an administrator to gain back access to this section.
Proof of Concept
In a CLI SSH session with an unprivileged user, just read the
/bsc/services/tomcat-admin/conf/tomcat-users.xmlfile and connect with a browser to the configWizard.Solution
Security patch
Workaround
There are no workarounds that address this vulnerability.
References
https://www.fortiguard.com/psirt/FG-IR-21-178
https://nvd.nist.gov/vuln/detail/CVE-2021-43065
Credits
Orange CERT-CC
Valentin ALLAIRE at Orange group
Timeline
Date reported: September 22, 2021
Date fixed: December 7, 2021