FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pkarna_FTNT
Staff
Staff
Description

This article provides the response of Fortinet for the mnemonic report SNIcat: Circumventing the guardians.

 

Related document.

https://www.mnemonic.no/blog/introducing-snicat

Scope

 

Solution

The main concern of the blog is that the TLS Client Hello packet always reaches the destination server, even if the domain accessed is blacklisted/blocked by a webfilter category in the firewall.

 

The firewall only blocks the session after the TLS handshake had been completed, but not earlier.

The researchers of the above blog tried to exfiltrate the data through a FortiGate/FortiOS unit that does SSL Deep Inspection, and inject this exfiltrated data in the SNI field of the ClientHello Message.

By doing so, there were able to successfully bypass the web filter profile configured on the device.

To achieve this, the attacker needs to have the control of a host within the internal network from where they can use the SNI tool to exfiltrate the data.

 

To prevent the exploit from getting into the network and to detect the traffic patterns of the commands sent by the tool, Fortinet issued the following signatures respectively:

1) Python/SNICat.A!exploit

2) SNIcat.Data.Exfiltration.Tool