PSIRT Note: OpenVAS indicates FortiOS vulnerable to format string attack
Description
OpenVAS/Nessus scanner reports that FortiOS is vulnerable to a format string on URI attack, specifically the Nessus plugin ID 15640.
After investigation, this proves to be a false positive scenario and FortiOS is not vulnerable.
Solution
The OpenVAS/Nessus alert can be ignored as it is a false positive.
The scanner builds multiple HTTP requests with the following attributes:
Method: GET, HEAD, OPTIONS, TRACE, MOVE, INDEX, MKDIR, RMDIR, PUT, DELETE
URI: "%08x", "%s", "%#0123456x%08x%x%s%p%n%d%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%#0123456x%%x%%s%%p%%n%%d%%o%%u%%c%%h%%l%%q%%j%%z%%Z%%t%%i%%e%%g%%f%%a%%C%%S%%08x"
It looks for the following grep matching pattern in the reply coming from FortiOS: [0-9a-fA-F]{8}
It can easily lead to a false positive which is the case here.
FortiOS sends a 400 response code to the scanner when receiving the request and includes a CSRF token to protect the administrators user against CSRF attacks.
The format of the CRSF token matches the regex hence trigger the vulnerability alert.
cURL example with 192.168.1.1 being the target device:
$ curl -s http://192.168.1.1/%s | egrep [0-9a-fA-F]{8}
<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='6fafa724b48c389453e7a3c8593b8834' /></div><div class="dlg" >
It should be taken into consideration that HTTP has been used in the above example to demonstrate how the OpenVAS/Nessus scan operates.
Fortinet PSIRT recommends to use HTTPS on any Fortinet devices for web administrative access.
OpenVAS/Nessus scanner reports that FortiOS is vulnerable to a format string on URI attack, specifically the Nessus plugin ID 15640.
After investigation, this proves to be a false positive scenario and FortiOS is not vulnerable.
Solution
The OpenVAS/Nessus alert can be ignored as it is a false positive.
The scanner builds multiple HTTP requests with the following attributes:
Method: GET, HEAD, OPTIONS, TRACE, MOVE, INDEX, MKDIR, RMDIR, PUT, DELETE
URI: "%08x", "%s", "%#0123456x%08x%x%s%p%n%d%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%#0123456x%%x%%s%%p%%n%%d%%o%%u%%c%%h%%l%%q%%j%%z%%Z%%t%%i%%e%%g%%f%%a%%C%%S%%08x"
It looks for the following grep matching pattern in the reply coming from FortiOS: [0-9a-fA-F]{8}
It can easily lead to a false positive which is the case here.
FortiOS sends a 400 response code to the scanner when receiving the request and includes a CSRF token to protect the administrators user against CSRF attacks.
The format of the CRSF token matches the regex hence trigger the vulnerability alert.
cURL example with 192.168.1.1 being the target device:
$ curl -s http://192.168.1.1/%s | egrep [0-9a-fA-F]{8}
<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='6fafa724b48c389453e7a3c8593b8834' /></div><div class="dlg" >
It should be taken into consideration that HTTP has been used in the above example to demonstrate how the OpenVAS/Nessus scan operates.
Fortinet PSIRT recommends to use HTTPS on any Fortinet devices for web administrative access.