Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Salas
New Contributor

Fortigate vulnerability

I run pci dss security scan, and my fortigate 600c, with 5.2.11 fimware, and found vulnerability:

HTTP Security Header Not Detected HTTP Security Header Not Detected

RESULT: X-XSS-Protection HTTP Header missing on port 443. GET / HTTP/1.0

THREAT: This QID reports the absence of the following HTTP headers according to CWE-693: Protection Mechanism Failure: X-Frame-Options: This HTTP response header improves the protection of web applications against clickjacking attacks. Clickjacking, also known as a "UI redress attack", allows an attacker to use multiple transparent or opaque layers to trick a targeted user into clicking on a button or link on another page when they were intending to click on the the top level page. X-XSS-Protection: This HTTP header enables the browser built-in Cross-Site Scripting (XSS) filter to prevent cross-site scripting attacks. X-XSSProtection: 0; disables this functionality. X-Content-Type-Options: This HTTP header prevents attacks based on MIME-type mismatch. The only possible value is nosniff. If your server returns X-Content-Type-Options: nosniff in the response, the browser will refuse to load the styles and scripts in case they have an incorrect MIMEtype. Content-Security-Policy: This HTTP header helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS), packet sniffing attacks and data injection attacks. Public-Key-Pins: The Public Key Pinning Extension for HTTP (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. Strict-Transport-Security: The HTTP Strict-Transport-Security response header (HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP.

 

How to fix it ?

 

 

33 REPLIES 33
MikePruett
Valued Contributor

Do you have HTTP and HTTPS enabled on the outside interface of the Gate? What does the scan say when you turn that off?

Salas

MikePruett wrote:

Do you have HTTP and HTTPS enabled on the outside interface of the Gate? What does the scan say when you turn that off?

No, only SSL VPN is listening on this port.

zorro
New Contributor

Hi

 

I cannot read from your post what was scanned by your scanner? Was it firewall's management GUI (on HTTP/HTTPS) or some web service that is behind the firewall?

 

Z.

emnoc
Esteemed Contributor III

Yes,  curious mines want to know. FWIW none of the  webGUI logins for    mgmt or sslvpn  have a X-XSS-Protection header when using  curl and monitoring the server response. These are on a  fortiOS 5.2.11 btw

 

Please use curl and dump the http.header here.

 

 

e.g

 

< HTTP/1.1 200 OK < Date: Sun, 15 Oct 2017 06:56:00 GMT < Vary: Accept-Encoding < Last-Modified: Fri, 21 Apr 2017 22:33:57 GMT < ETag: "af9_4f_58fa88d5" < Accept-Ranges: bytes < Content-Length: 79 < Content-Type: text/html; charset=utf-8 < X-Frame-Options: SAMEORIGIN < X-UA-Compatible: IE=Edge

 

5.6.x shows

 

 

< HTTP/1.1 200 OK < Date: Sun, 15 Oct 2017 06:59:21 GMT < Server: xxxxxxxx-xxxxx      <- I like the masked server header ;) < Vary: Accept-Encoding < Content-Length: 79 < Content-Type: text/html; charset=utf-8 < X-Frame-Options: SAMEORIGIN < Content-Security-Policy: frame-ancestors 'self' < X-UA-Compatible: IE=Edge < <html> <script language=javascript> top.location="/login"; </script> </html>

 

 

Ken

 

PCNSE 

NSE 

StrongSwan  

Salas
New Contributor

 

It's fortigate SSL VPN.

The full report about this issue:

 

QID:11827Severity:2   CVSS Base:4.3    AV:N/AC:M/Au:N/C:N/I:P/A:NCVSS Temporal:3.5    E:U/RL:U/RC:URPCI Compliance Status:FAIL     
  • The QID adheres to the PCI requirements based on the CVSS basescore.[/ul]Category:CGIPort/Service:443 / CGI (tcp)False Positive:N/A  Bugtraq ID:-CVE ID:-Vendor Reference:-Last Update:10/04/2017 at 03:00:00  Threat:

    This QID reports the absence of the following [link=https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Headers]HTTP headers[/link] according to [link=https://cwe.mitre.org/data/definitions/693.html]CWE-693: Protection Mechanism Failure[/link]: X-Frame-Options: This HTTP response header improves the protection of web applications against clickjacking attacks. Clickjacking, also known as a "UI redress attack", allows an attacker to use multiple transparent or opaque layers to trick a targeted user into clicking on a button or link on another page when they were intending to click on the the top level page. X-XSS-Protection: This HTTP header enables the browser built-in Cross-Site Scripting (XSS) filter to prevent cross-site scripting attacks. X-XSS-Protection: 0; disables this functionality. X-Content-Type-Options: This HTTP header prevents attacks based on MIME-type mismatch. The only possible value is nosniff. If your server returns X-Content-Type-Options: nosniff in the response, the browser will refuse to load the styles and scripts in case they have an incorrect MIME-type. Content-Security-Policy: This HTTP header helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS), packet sniffing attacks and data injection attacks. Public-Key-Pins: The Public Key Pinning Extension for HTTP (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. Strict-Transport-Security: The HTTP Strict-Transport-Security response header (HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP.

    QID Detection Logic: This unauthenticated QID looks for the presence of the following HTTP responses: Valid directives for X-Frame-Options are: X-Frame-Options: DENY - The page cannot be displayed in a frame, regardless of the site attempting to do so. X-Frame-Options: SAMEORIGIN - The page can only be displayed in a frame on the same origin as the page itself. X-Frame-Options: ALLOW-FROM RESOURCE-URL - The page can only be displayed in a frame on the specified origin.

    Content-Security-Policy: frame-ancestors - This directive specifies valid parents that may embed a page using frame, iframe, object, embed, or appletValid directives for X-XSS-Protections are: X-XSS-Protection: 1 - Enables XSS filtering (usually default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts). X-XSS-Protection: 1; mode=block - Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected. X-XSS-Protection: 1; report=URI - Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation. This uses the functionality of the CSP report-uri directive to send a report. X-XSS-Protection: 0 disables this directive and hence is also treated as not detected.

    A valid directive for X-Content-Type-Options: nosniff

    A valid directive for Content-Security-Policy: <policy-directive>; <policy-directive>

    A valid HPKP directive Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubDomains][; report-uri="reportURI"]

    A valid HSTS directive Strict-Transport-Security: max-age=<expire-time>; [; includeSubDomains][; preload]

    NOTE: All report-only directives (where applicable) are considered invalid.

    Impact:

    Depending on the vulnerability being exploited, an unauthenticated remote attacker could conduct cross-site scripting, clickjacking or MIME-type sniffing attacks.

    Solution:

    CWE-693: Protection Mechanism Failure mentions the following - The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. A "missing" protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An "insufficient" protection mechanism might provide some defenses - for example, against the most common attacks - but it does not protect against everything that is intended. Finally, an "ignored" mechanism occurs when a mechanism is available and in active use within the product, but the developer has not applied it in some code path.

    Customers are advised to set proper [link=https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options]X-Frame-Options[/link], [link=https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection]X-XSS-Protection[/link], [link=https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP]Content Security Policy[/link], [link=https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options]X-Content-Type-Options[/link], [link=https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning]Public Key Pinning[/link] and [link=https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security]Strict-Transport-Security[/link] HTTP response headers.

    Depending on their server software, customers can set directives in their site configuration or Web.config files. Few examples are:

    X-Frame-Options: Apache: Header always append X-Frame-Options SAMEORIGIN nginx: add_header X-Frame-Options SAMEORIGIN; HAProxy: rspadd X-Frame-Options:\ SAMEORIGIN IIS: <HTTPPROTOCOL><CUSTOMHEADERS><ADD NAME="X-Frame-Options" VALUE="SAMEORIGIN"></ADD></CUSTOMHEADERS></HTTPPROTOCOL>

    X-XSS-Protection: Apache: Header always set X-XSS-Protection "1; mode=block" PHP: header("X-XSS-Protection: 1; mode=block");

    X-Content-Type-Options: Apache: Header always set X-Content-Type-Options: nosniff

    Content-Security-Policy: (Please note that these values may differ from website to website. The values below are for informational purposes only. The scanner simply looks for the presence of the security header.) Apache: Header set Content-Security-Policy "script-src 'self'; object-src 'self'" IIS: <SYSTEM.WEBSERVER><HTTPPROTOCOL><CUSTOMHEADERS><ADD NAME="Content-Security-Policy" VALUE="default-src 'self';"></ADD></CUSTOMHEADERS></HTTPPROTOCOL></SYSTEM.WEBSERVER> nginx: add_header Content-Security-Policy "default-src 'self'; script-src 'self';

    HTTP Public Key Pinning (HPKP): Apache: Header always set Public-Key-Pins "pin-sha256="base64+primary=="; pin-sha256="base64+backup=="; max-age=5184000; includeSubDomains" Lighttpd: setenv.add-response-header = ( "Public-Key-Pins" => "pin-sha256="base64+primary=="; pin-sha256="base64+backup=="; max-age=5184000; includeSubDomains")

    HTTP Strict-Transport-Security: Apache: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" Nginx: add_header Strict-Transport-Security max-age=31536000;

    Result:
    X-XSS-Protection HTTP Header missing on port 443.
    GET / HTTP/1.0
    Host: x.x.x.x



    X-Content-Type-Options HTTP Header missing on port 443.
    Content-Security-Policy HTTP Header missing on port 443.
    Public-Key-Pins HTTP Header missing on port 443.
    Strict-Transport-Security HTTP Header missing on port 443.

     

     

  • emnoc
    Esteemed Contributor III

    I would not worried about it.

     

    It's a X- header to begin with,  and you have no  means to inject or remove headers from a SSLVPN portal-access interface or even the  WebGUI as far as  that goes

     

    2nd if the  site is true SSLVPN tunnel, who cares about the header to begin with since this traffic is NOT HTTP ( those reports reflect HTTP headers btw )

     

     

    Ken

    PCNSE 

    NSE 

    StrongSwan  

    Salas
    New Contributor

    We are not usig VPN portal, we only using ssl-vpn clients,  is it possible to turn it off ?

    The problem is that scan is reporting that we are not compliant, and I must give them some arguments, to make it false positive finding.

     

    michaelbazy_FTNT

    Hi Salas,

     

    I'm thinking of a few options you could try:

     - First option:

    config vpn ssl web portal

    edit "my ssl portal"

    set skip-check-for-unsupported-browser disable" -> it's usually to deny access for browsers that can't launch an activeX or Java Applet... Worth a try, but you probably won't earn a lot of security points here. You might need to enable some host-checking though (which would still be good for your clients!). 

    end

    - second option : 

    migrate your tunnel portal from a public interface to a loopback - you'll need a FW rule with a VIP to forward traffic from Wan to your loopback - then activate IPS on the very rule. Another good protection here :) however adding an HSTS header isn't a NGFW possibility...

    - third option (fortinet sales Approved! ) : use a FortiWeb :)

    This third one is a little bit for trolling, but if your company is concerned about PCI DSS compliancy, they might consider the option, especially if you run other web services. And it will be the most 'by the book' way of improving your score (Even though I suppose that you're posting this thread precisely to avoid this option)

     

    Let us know what you'll do, even if it's nothing! 

     

    BR,

     

    Michael

     

     

     

     

    NSE8 #3112

    emnoc
    Esteemed Contributor III

    last option if it's SSLVPN only, disable the web portal.

     

     

    Under the portal   "set web mode disable"

     

    Ken

     

     

     

    PCNSE 

    NSE 

    StrongSwan