DescriptionMultiple CSRF (Cross-Site Request Forgery) vulnerabilities exist in
FortiGate because some GUI pages are not protected by a CSRF token. It could
allow remote attackers to hijack the administrative session when a FortiGate administrator is actively logged in.
Using this attack vector simply requires the victim admin to open (or have opened prior in a browser instance) a malicious site that target's this vulnerability while logged into the FortiGate as an administrator. The vulnerability works across browser windows and tabs.
ReferenceThis vulnerability is detailed at the following links:http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1414
http://www.exploit-db.com/exploits/26528/
http://www.fortiguard.com/advisory/FGA-2013-22/
Scope
FortiGate firewall devices before 4.3.13 and 5.0.2 including 4.2 and earlier.
Workaround
Upgrading to FortiOS 4.0 MR3 Patch 14 or FortiOS 5.0 Patch 2 or later is the preferred method to eliminate this vulnerability, however this may be impractical in some environments so other measures must be taken to ensure that browser sessions are not hijacked to exploit this attack vector.
Practicing safe browsing is the key to mitigate CSRF and XSS attacks, and as a secure device administrator one should always assume that there are potential attacks for all devices being administered. In an ideal world, using a browser instance in a fresh, secure live-CD boot would provide a pristine starting point for secure browsing use, without worry of plugins, malware and rootkits that could usurp the security of safe browsing practices. That is often not practical for day to day administration of a multitude of security devices. Also, limiting administration of secure devices to browser instances that are not used for general internet browsing reduces the potential exposure to malicious XSS and CSRF attacks, though malicious code may already be present in the administrators local environment.
For a more usable solution in Firefox, one solution that adds some complexity to the browsing experience but stops XSS and CSRF attempts, is to use a browser extension specifically designed to prevent untrusted sites from doing CSRF and XSS attacks.
In our FortiLab we have tested NoScript which is a free, open source white-list tool that allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice. NoScript is available at http://noscript.net/ and in its default configuration was proven to block CSRF attacks against logged-in FortiGate administrator sessions in our FortiLab test environment.
