DescriptionAn information disclosure vulnerability allows a network adjacent attacker to determine the TCP/IP stack state (including IP address, TCP sequences,etc) of the system via sending spoofed TCP packets to the target when the latter operates under a weak host model.
FortiOS.
FortiOS may be impacted only if 'asymroute' is enabled or if 'strict-src-check'is disabled.
FortiClient.
FortiClient may be impacted if the host system operates under a weak host model.
ScopeFortiOS IPsec VPN.
FortiClient IPsec VPN.SolutionFortiOS.Make sure 'asymroute' is disabled in system settings (note that this is the default):
# config vdom
edit [vdom-name]
# config system settings
set asymroute disable
set asymroute6 disable
end
next
end
If 'asymroute' is enabled, review the unit policy based on reference.
[1] (1. Determining the VPN client's virtual IP address part) attack scenarios.If 'strict-src-check' is disabled (note that this is the default value), whether or not the system may be vulnerable depends on the unit policy or route settings.
Make sure 'stric-src-check' is enabled:
# config vdom
edit [vdom-name]
#config system settings
set strict-src-check enable
end
next
end
If 'struct-src-check' is disabled, review the unit policy and route settings based on reference.
[1] (1. Determining the VPN client's virtual IP address part) attack scenarios.For instance.* When there is no policy allowing TCP packets from 192.168.12.1 to10.8.0.8, the system is not vulnerable.
* When there is a policy allowing TCP packets from 192.168.12.1 to 10.8.0.8:
** When 'asymroute is enabled, which equals to loose mode (RFC 3704 sections2.4), the system is vulnerable.
** When 'strict-src-check' is enabled, which equals to strict mode (RFC 3704 sections 2.2), the system is not vulnerable.
** When 'strict-src-check is disabled, which equals to feasible mode (RFC 3704 sections 2.3), and there is an alternate route from 10.8.0.x to 192.168.12.x, the system may be vulnerable.
FortiClient.
It depends on the host system FortiClient is installed on, not on FortiClient per se.
Related articles:
[1] https://seclists.org/oss-sec/2019/q4/122
[2] https://en.wikipedia.org/wiki/Host_modelRelated Articles
Technical Note: Details about FortiOS RPF (Reverse Path Forwarding), also called Anti-Spoofing
Technical Note : Reverse Path Forwarding (RPF) implementation and use of strict-src-check enable|dis...
Technical Note: How the FortiGate behaves when asymmetric routing is enabled