Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
davbu
New Contributor

Created on ‎10-17-2023 06:09 AM

Clarity on PSIRT Advisory FG-IR-23-120

I am seeking clarity on this advisory.

 

A use of GET request method with sensitive query strings vulnerability [CWE-598] in the FortiOS SSL VPN component may allow an attacker to view plaintext passwords of remote services such as RDP or VNC, if the attacker is able to read the GET requests to those services (found in logs, referers, caches, etc...)

 

We have several employees who SSLVPN using the FortiGate VPN client.  They then RDP to a Windows VM server.  In this instances how can an attacker view the plaintext passwords using the GET request?  As I understand a GET request is an http request and RDP uses protocol 3389.  Fortinet Support was not helpful in explaining the logic behind the advisory.  Can someone help me understand how an attacker can do this?

986
0 Kudos
2 Solutions
srajeswaran
Staff
Staff
In response to davbu

Created on ‎10-17-2023 06:41 AM

That is correct.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

View solution in original post

972
0 Kudos
srajeswaran
Staff
Staff
In response to davbu

Created on ‎10-17-2023 06:57 AM



you can disable the webmode as explained in  https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-disable-SSL-VPN-Web-Mode-or-Tunnel-...

 

In this example SSL-VPN Mode portal.

 

# config vpn ssl web portal

    edit "SSLVPN Mode"

        set web-mode disable  <----- Unset web-mode.

        end

end

 



Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

View solution in original post

965
0 Kudos
5 REPLIES 5
srajeswaran
Staff
Staff

Created on ‎10-17-2023 06:26 AM

When you say "FortiGate VPN client", do you mean they use FortiClient to connect to SSL VPN? If so, you are not affected by this vulnerability. This vulnerability only affects web-mode not tunnel mode.

 

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

978
0 Kudos
davbu
New Contributor
In response to srajeswaran

Created on ‎10-17-2023 06:40 AM

Hi Suraj,

Thank you for clarifying.  So this vulnerability only affects if you are using the Browser to sslvpn in correct?

974
0 Kudos
srajeswaran
Staff
Staff
In response to davbu

Created on ‎10-17-2023 06:41 AM

That is correct.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

973
0 Kudos
davbu
New Contributor
In response to srajeswaran

Created on ‎10-17-2023 06:49 AM

Is there a way to block sslvpn through the browser from the Fortigate?

970
0 Kudos
srajeswaran
Staff
Staff
In response to davbu

Created on ‎10-17-2023 06:57 AM



you can disable the webmode as explained in  https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-disable-SSL-VPN-Web-Mode-or-Tunnel-...

 

In this example SSL-VPN Mode portal.

 

# config vpn ssl web portal

    edit "SSLVPN Mode"

        set web-mode disable  <----- Unset web-mode.

        end

end

 



Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

966
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.