Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Salas
New Contributor

Fortigate vulnerability

I run pci dss security scan, and my fortigate 600c, with 5.2.11 fimware, and found vulnerability:

HTTP Security Header Not Detected HTTP Security Header Not Detected

RESULT: X-XSS-Protection HTTP Header missing on port 443. GET / HTTP/1.0

THREAT: This QID reports the absence of the following HTTP headers according to CWE-693: Protection Mechanism Failure: X-Frame-Options: This HTTP response header improves the protection of web applications against clickjacking attacks. Clickjacking, also known as a "UI redress attack", allows an attacker to use multiple transparent or opaque layers to trick a targeted user into clicking on a button or link on another page when they were intending to click on the the top level page. X-XSS-Protection: This HTTP header enables the browser built-in Cross-Site Scripting (XSS) filter to prevent cross-site scripting attacks. X-XSSProtection: 0; disables this functionality. X-Content-Type-Options: This HTTP header prevents attacks based on MIME-type mismatch. The only possible value is nosniff. If your server returns X-Content-Type-Options: nosniff in the response, the browser will refuse to load the styles and scripts in case they have an incorrect MIMEtype. Content-Security-Policy: This HTTP header helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS), packet sniffing attacks and data injection attacks. Public-Key-Pins: The Public Key Pinning Extension for HTTP (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. Strict-Transport-Security: The HTTP Strict-Transport-Security response header (HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP.

 

How to fix it ?

 

 

33 REPLIES 33
michaelbazy_FTNT

I hate to disagree, emnoc, but "set web mode disable" doesn't deactivate the access the https portal... which is the issue here.

Basically, it just removes the widgets related to web mode. You'll still be able to connect to SSLVPN portal. It allows users to download FortiClient.

 

Nice set of certs, btw! :)

I'm operating by "Crocker's Rules"
emnoc
Esteemed Contributor III

I'll be darn, I tried this on 5.2.11 and 5.4.3 and your right it  still displays the SSLvpn portal

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
michaelbazy_FTNT

Regarding the original request : Salas : if you can justify that it's a false positive, maybe you can explain that the traffic concerned by this opened traffic is not web traffic encapsulated in ssl : it's a ppp connection through ssl. Well, at least that's how you use it for.

 

I can think of another option : client authentication through ssl certificates. That way your scan won't even reach the HTTP header.

 

Once again : let us know! :)

I'm operating by "Crocker's Rules"
Salas

Thanks all, for help, i will try to give them this explanation. 

By the way we are using certificates, for SSL VPN,  but still the scan detects this issue.

 

oheigl
Contributor II

Isn't the SSL Client just a wrapper for HTTPS requests to server? If you compare the sslvpn debug of a ssl web gui login and a client login it seems nearly the same?

michaelbazy_FTNT

Salas wrote:

By the way we are using certificates, for SSL VPN,  but still the scan detects this issue.

 

Wow. Now I gotta run a packet sniffer and check the behavior! I always thought that if you don't present the proper certificate, the connexion would fail before talking http... :)

 

Or do you provide a web certificate for the test?

I'm operating by "Crocker's Rules"
emnoc
Esteemed Contributor III

 

By the way we are using certificates, for SSL VPN

 

 

 

BTW that X-header  comes after the SSL negotiation with the client/server hello. Just figure I would point that out.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Salas
New Contributor

Qualys accepted my explanation, thanks all for help. But i hope fortigate will do something with this issue in next firmare realeses, i also opened ticket in support.

Salas
New Contributor

The answer from fortigate support:

 

"Fix is coming in the next 5.4.7 and 5.6.3"

 

But there will be no fix for 5.2.x firmwares. So i'll have to upgrade my firealls.

 

 

JerryPWhite1
New Contributor II

I'm on 5.4.8 and still have same error btw.

Jerry Paul White

Network Engineer/Tech Supervisor

" 01001000 01100001 01110110 01100101 00100000 01100001 00100000 01000111 01101111 01101111 01100100 00100000 01000100 01100001 01111001"

Jerry Paul White Network Engineer/Tech Supervisor " 01001000 01100001 01110110 01100101 00100000 01100001 00100000 01000111 01101111 01101111 01100100 00100000 01000100 01100001 01111001"
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors