Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Salas
New Contributor

Fortigate vulnerability

I run pci dss security scan, and my fortigate 600c, with 5.2.11 fimware, and found vulnerability:

HTTP Security Header Not Detected HTTP Security Header Not Detected

RESULT: X-XSS-Protection HTTP Header missing on port 443. GET / HTTP/1.0

THREAT: This QID reports the absence of the following HTTP headers according to CWE-693: Protection Mechanism Failure: X-Frame-Options: This HTTP response header improves the protection of web applications against clickjacking attacks. Clickjacking, also known as a "UI redress attack", allows an attacker to use multiple transparent or opaque layers to trick a targeted user into clicking on a button or link on another page when they were intending to click on the the top level page. X-XSS-Protection: This HTTP header enables the browser built-in Cross-Site Scripting (XSS) filter to prevent cross-site scripting attacks. X-XSSProtection: 0; disables this functionality. X-Content-Type-Options: This HTTP header prevents attacks based on MIME-type mismatch. The only possible value is nosniff. If your server returns X-Content-Type-Options: nosniff in the response, the browser will refuse to load the styles and scripts in case they have an incorrect MIMEtype. Content-Security-Policy: This HTTP header helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS), packet sniffing attacks and data injection attacks. Public-Key-Pins: The Public Key Pinning Extension for HTTP (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. Strict-Transport-Security: The HTTP Strict-Transport-Security response header (HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP.

 

How to fix it ?

 

 

33 REPLIES 33
darwin_FTNT

What is the forticare / tech support ticket number or the mantis bug number?

JerryPWhite1

Why do you need the forticare ticket number?

 

 

Jerry Paul White

Network Engineer/Tech Supervisor

" 01001000 01100001 01110110 01100101 00100000 01100001 00100000 01000111 01101111 01101111 01100100 00100000 01000100 01100001 01111001"

Jerry Paul White Network Engineer/Tech Supervisor " 01001000 01100001 01110110 01100101 00100000 01100001 00100000 01000111 01101111 01101111 01100100 00100000 01000100 01100001 01111001"
BWiebe

The folks with _FTNT are from Fortinet.

 

darwin_FTNT likely wants to check the status internally on the issue.

JerryPWhite1
New Contributor II

I'm pretty sure I can put FTNT behind my profile as well. :) This is a semi-public forum so I don't feel the need for the ticket number unless I'm positive it is well intended. I'll post official content if/when I have this resolved or at least an answer from Fortinet.

Jerry Paul White

Network Engineer/Tech Supervisor

" 01001000 01100001 01110110 01100101 00100000 01100001 00100000 01000111 01101111 01101111 01100100 00100000 01000100 01100001 01111001"

Jerry Paul White Network Engineer/Tech Supervisor " 01001000 01100001 01110110 01100101 00100000 01100001 00100000 01000111 01101111 01101111 01100100 00100000 01000100 01100001 01111001"
zenace33

Did this ever get resolved in the latest releases? I'm running 5.6.5, and get this flagged "vulnerability," but not exactly sure I see a place to change a header setting for HSTS.

Mike_Ferderer

So I'm running 6.0.4 and I ran 'set url-obfuscation enable' from conf vpn ssl settings.   I then would get the error below about 'hsts' if I tried to access the portal by name (and note I'm using the built-in self signed cert so it won't match the name).  That error below is only presented to me in Chrome - my Firefox allows me to 'accept/continue' with the self signed warning.  Note, I could get to the portal in Chrome if I just used the IP in the URL.   So possibly using the url-obfuscation this may enable hsts and help with the vulnerability scan warning.

 

*warning in chrome* (cannot proceed/accept risk to get to portal)

You cannot visit hostname.my.org right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

FortiOSman

Was anyone able to confirm the fix for this?

brhunt

I know that this thread is old, but I just had the same issue in version 6.2.3.

 

The issue is that the scanner is expecting that the SSL Cert is protecting a web server.  And that the web server should/could add in the x-headers that the scanner is expecting back.

 

But SSLVPN is not a webserver, and has no ability to send those x-headers.

 

The solution was to contact the scanning vendor (Qualys in my case), and let them know the situation.  They understood immediately what I was describing, and created a case to get an exception added to that site.  Once that was done, the scan passed without issue.

emnoc
Esteemed Contributor III

A vulnerability scan and results has to be looked at case by case, fwiw and the results interpret .

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
brhunt
New Contributor

Ken,

 

This thread is talking about one specific scanning issue, [link=https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options]X-Frame-Options[/link], [link=https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection]X-XSS-Protection[/link], [link=https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP]Content Security Policy[/link], [link=https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options]X-Content-Type-Options[/link], [link=https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning]Public Key Pinning[/link] and [link=https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security]Strict-Transport-Security[/link] HTTP response headers, when running against a port opened for SSLVPN.

 

That's what I responded to.

 

Bryan Hunt

Labels
Top Kudoed Authors