Fortigate: Session Cookie Does Not Contain the "Secure" Attribute

Salas · ‎06-18-2018

I currently doing PCI DSS security scan, my firmware version is v5.4.8,build1183 (GA)

And this vulnerability detected in results:

VULNERABILITY DETAILS

CVSS Base Score:

[LEFT][size="1"]5 [/size][size="1"][size="1"][size="1"]AV:N/AC:L/Au:N/C:N/I:P/A:N[/size][/size][/size][/LEFT]

CVSS Temporal Score:

[LEFT][size="1"]4.3 [/size][size="1"][size="1"][size="1"]E:U/RL:U/RC:C[/size][/size][/size][/LEFT]

Severity:

[LEFT]2122[/size][/LEFT]

QID: 13162

Category: CGI

CVE ID: -

Vendor Reference: -

Bugtraq ID: -

Last Update: 06/12/2018

THREAT:

The secure cookie flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The

purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a the cookie in clear text. By

setting the secure flag, the browser will prevent the transmission of a cookie over an unencrypted channel.

A cookie with the secure attribute was not detected in the scan.

QID Detection Logic:

This unauthenticated QID checks for the existence of the "secure" cookie flag.

IMPACT:

Session cookies sent via HTTP expose users to sniffing attacks that could lead to user impersonation or account compromise.

SOLUTION:

Apply the "secure" attribute to session cookies to ensure that they are sent via HTTPS only. More information about this flag can be found here:

Scan Results page 64

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie.

RESULT:

HTTP Cookie missing Secure attribute on port 443.

Salas · ‎06-18-2018

I found this KB, but there are only 5.0 and 5.2 firmwares listed.

http://kb.fortinet.com/kb/documentLink.do?externalID=FD36922