DescriptionThis article discusses about possible authentication bypass in certain versions of FortiMail.
This vulnerability is in limited versions and has been addressed/blocked in later versions as discussed below.
Due to the ability to exploit this issue remotely, Fortinet is strongly recommending all customers with the vulnerable versions to perform an immediate upgrade.
The following information details actions which should be taken to ensure no unauthorized changes have been made to the system.
ScopeAffected Products.FortiMail versions 5.4.10 and below.FortiMail versions 6.0.7 and below.FortiMail versions 6.2.2 and below.FortiMail versions 5.3 and lower are not impacted by this vulnerability.FortiMail Cloud has been upgraded to non-impacted versions.SolutionVerify the Current Firmware Version and upgrade to:
FortiMail version 5.4.11 or above.Upgrade to FortiMail version 6.0.8 or above.Upgrade to FortiMail version 6.2.3 or above.
How to Upgrade FortiMail Firmware in HA Mode.
https://cookbook.fortinet.com/how-to-upgrade-fortimail-firmware-in-ha-mode/index.html
How to determine the firmware version of a FortiMail?
1) It can be verified from the admin GUI, access the GUI using https://<FortiMail-IP>/admin.
Go to Dashboard -> Status -> System Information Widget and verify the firmware version:
The version in this snapshot below is 6.2.3.
2) To determine the Version number from the CLI enter the following command:
# get system status
The version in this snapshot above is 6.0.8.
Workaround Technical Guide.
It only impacts the admin interface, not the Webmail user interface.
To mitigate an attack on a FortiMail disable the HTTP/HTTPS admin interface on public facing networks which mitigates an attack from the internet.
From GUI.
1) Go to System -> Network -> Edit Interface-> Advanced Setting.
2) Disable 'HTTPS' and 'HTTP'.
From CLI.
# config system interface
edit portX (write the port number)
set allowaccess ping
end
- In version 6.0.0 and above, the admin and user interfaces can be enabled on separate interfaces via Network > Interface > Edit Interface> Advanced Setting > Web Access, allowing the admin interface to be disabled on the internet facing interfaces whilst allowing the user interface.
From GUI.
1) Go to Network -> Interface -> Edit Interface -> Advanced Setting -> Web Access.
2) Disable 'admin'.
From CLI.
# config system interface
edit portX (write the port number)
set webaccess webmail
end
- In version 5.4, HTTPS can be disabled but this will also disable the WebMail/User Quarantine interface . External Layer7 WAF solutions controlling access to http(s)://<fortimail_IP>/admin can be utilized to mitigate this risk until upgraded.
Even if the Firmware is already upgraded to latest versions Fortinet recommends that administrators validate that their configuration is as expected and that no unauthorized changes have been made.
Review all the admin accounts.
Check under System -> Administrator and remove the unknown or not used accounts
Go to System -> Administrator -> Administrator.
If there is an admin account existing which is unknown or has not been created by the user or is no longer required and needs to be deleted, select the admin user from the list and select 'Delete' button to remove them from configuration.
From CLI run the following command to list the configured admin users on FortiMail.
# get admin list
To delete or remove the unknown or not used accounts from CLI.
# config system admin
delete <name_str>
end
Use the below command to configure FortiMail administrator accounts,
# config system admin
edit <name_str>
set status {enable | disable}
set is-system-domain {no | yes}
set auth-strategy {ldap | local | sso | pki | radius}
set password <password_str>
set trusthosts <host_ipv4mask>
set webmode (basic | advanced)
set ldap-profile <profile_name>
set access-profile <profile_name>
set theme <theme_str>
set language <lang_str>
next
end
CLI Reference and Description of options under 'config system admin'.
https://docs.fortinet.com/document/fortimail/6.2.0/cli-reference/291649/system-admin#config_37334023...
Configuring administrator accounts and access profiles.
https://docs.fortinet.com/document/fortimail/6.2.0/administration-guide/347528/configuring-administr...
- Change Admin accounts passwords.
For the local admin accounts, consider changing passwords for all the local admin accounts as a security measure.
Administrator passwords have to be at least six characters long, use both numbers and letters, and be changed regularly.
Administrator passwords can be changed from GUI and CLI.
From GUI.
1) Go to System -> Administrator -> Administrator.
2) Either select 'New' to add an account or select an account to modify it.
3) Select 'Change Password'.
From 6.2 and above, the password is changed, the new password cannot be the same as the old one.
And after the password change, it will be required to re-login.
However, if other administrators’ passwords are changed, these rules are not applied.
This field does not appear if authentication type is not Local.
From CLI.
# config system admin
edit <name_str>
set password <password_str>
end
Note.
<name_str>: enter the name of the administrator account.
<password_str>: enter the password for the administrator account.
Caution: Do not enter a FortiMail administrator password less than six characters long.
For better security, enter a longer password with a complex combination of characters and numbers, and change the password regularly.
Failure to provide a strong password can compromise the security of the FortiMail.
Restrict administrative access to trusted hosts/networks.
(System -> Administrator -> Administrator) from which legitimate FortiMail administrators will connect.
Trusted hosts: configure an administrative account to be accessible only to someone who is using a trusted host.
Set a specific IP address, IPv4 or IPv6 address or subnet from which this administrator can log in.
Add up to 10 trusted hosts.
If the administrator wants to access the FortiMail from any IP address, use 0.0.0.0/0.0.0.0, enter the IP address and netmask in dotted decimal format.
For example, it is possible to permit permit the administrator to log in to the FortiMail from the private network by typing 192.168.1.0/255.255.255.0.
Note.
For additional security, restrict all trusted host entries to administrative hosts on the trusted private network.
1) Go to System -> Administrator -> Administrator.
2) Either select 'New' to add an account or select an account to modify it.
3) In Trusted hosts: add the IP address of the user owner or administrator subnet.
4) From '+' icon it is possible to add multiple IP addresses.
From CLI.# config system admin
edit <name_str>
set trusted-hosts xx.xx.xx.xx/xx yy.yy.yy.yy/yy
end
Review and validate AntiSpam/AntiVirus/Content Action Profiles. Make sure that the notification and BCC configuration has not changed and the configured email addresses are valid.AntiSpam Action Profile.From GUI.1) Go to Profile -> AntiSpam -> Action.
2) Select first action profile.
3) Select 'Edit'.
4) Check BCC configuration and make sure that there are no emails not belonging to the domain.
5) Check the notify with profile, if there is a Notification Profile selected select 'Edit'.
6) Make sure the email addresses in the 'Notification Profile' are correct and all of them belong to the domain.
7) Repeat the same for all 'Actions Profiles'.
Repeat The Same steps for AntiVirus/Content Action profiles.
Review and validate the Archive Accounts.
Make sure that no new archive accounts have been created and check the existing ones.
1) Go to Email Archiving -> Archive Account .
2) Check the archive accounts list and make sure all accounts are known and expected, unknown accounts have to be deleted as required.
3) To delete one of them, select it then select 'Delete' button.
4) Select first account and select 'Edit'.
5) Make sure that 'Forward to:' is configured with valid email address.
6) Repeat the same steps on all the accounts.
Review and validate the Reports.
Make sure that there is no new report created and all existing ones are configured with valid email addresses.
1) Go to Log & Reports -> Report Setting.
2) Check the Reports list and make sure there are new reports created.
3) Select first report and select 'Edit'.
4) Under 'Email Notification,' make sure that all email addresses are valid.
5) Repeat the same for each report.
Best practice Recommendation.
- Disable the admin interface on public facing internet connections (available in 6.0 and later).
Review the network interface advanced setting and enable only the required services.
Below examples are when port1 is dedicated for management and port2 for mail.
Services facing internet.
- Disable the default admin account and use unique per-administrator accounts or remote authentication methods such as RADIUS or LDAP.
- It is preferred to use remote authentication with two factor authentication through RADIUS.
- It is recommended to change the default administrative port to a non-standard port especially HTTPS under System -> Configuration -> Option -> Administration Ports.
In case there is a Firewall in the management traffic path, it will need configuration changes to allow the new non-standard ports.
In order to create the firewall policy that forwards HTTPS traffic on non-standard to the FortiMail unit, first define a static NAT mapping from a public IP address on the FortiGate to the private IP address of the FortiMail by creating a virtual IP entry.
Then, create a firewall policy that allows incoming FortiMail services that are received at the virtual IP address, then applies a static NAT when forwarding the traffic to the private network IP address of the FortiMail.
Note.
If a different firewall appliance is used, consult the appliance’s documentation for completing similar configurations.
Related Articles
Technical Tip: How to manually download and upgrade FortiMail firmware image on FortiMail