SB2021030421 - Multiple vulnerabilities in FortiProxy SSL-VPN 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021030421

SB2021030421 - Multiple vulnerabilities in FortiProxy SSL-VPN

Published: March 4, 2021

Security Bulletin ID SB2021030421
Severity
Medium
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Improper access control (CVE-ID: CVE-2021-22128)

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted resources.

The vulnerability exists due to improper access restrictions within the Quick connection functionality implementation. A remote authenticated user can bypass implemented security restrictions and access internal service such as the ZebOS Shell on the FortiProxy appliance through the Quick Connection functionality


2) Cleartext storage of sensitive information (CVE-ID: CVE-2020-6648)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to FortiOS displays usernames and passwords in clear text in "diag sys ha checksum show" command output. A local user with ability to connect to FortiGate CLI and execute the command can obtain credentials of other users.


3) Cleartext storage of sensitive information (CVE-ID: CVE-2019-17655)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

A cleartext storage in a file or on disk (CWE-313) vulnerability in FortiOS SSL VPN 6.2.0 to 6.2.2, 6.0.9 and below may allow an attacker to retrieve a logged-in SSL VPN user's credentials should that attacker be able to read the session file stored on the targeted device's system.


4) Cross-site scripting (CVE-ID: CVE-2018-13380)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within the SSL VPN web portal. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


Remediation

Install update from vendor's website.

References