I run pci dss security scan, and my fortigate 600c, with 5.2.11 fimware, and found vulnerability:
HTTP Security Header Not Detected HTTP Security Header Not Detected
RESULT: X-XSS-Protection HTTP Header missing on port 443. GET / HTTP/1.0
THREAT: This QID reports the absence of the following HTTP headers according to CWE-693: Protection Mechanism Failure: X-Frame-Options: This HTTP response header improves the protection of web applications against clickjacking attacks. Clickjacking, also known as a "UI redress attack", allows an attacker to use multiple transparent or opaque layers to trick a targeted user into clicking on a button or link on another page when they were intending to click on the the top level page. X-XSS-Protection: This HTTP header enables the browser built-in Cross-Site Scripting (XSS) filter to prevent cross-site scripting attacks. X-XSSProtection: 0; disables this functionality. X-Content-Type-Options: This HTTP header prevents attacks based on MIME-type mismatch. The only possible value is nosniff. If your server returns X-Content-Type-Options: nosniff in the response, the browser will refuse to load the styles and scripts in case they have an incorrect MIMEtype. Content-Security-Policy: This HTTP header helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS), packet sniffing attacks and data injection attacks. Public-Key-Pins: The Public Key Pinning Extension for HTTP (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. Strict-Transport-Security: The HTTP Strict-Transport-Security response header (HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP.
How to fix it ?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I hate to disagree, emnoc, but "set web mode disable" doesn't deactivate the access the https portal... which is the issue here.
Basically, it just removes the widgets related to web mode. You'll still be able to connect to SSLVPN portal. It allows users to download FortiClient.
Nice set of certs, btw! :)
I'll be darn, I tried this on 5.2.11 and 5.4.3 and your right it still displays the SSLvpn portal
PCNSE
NSE
StrongSwan
Regarding the original request : Salas : if you can justify that it's a false positive, maybe you can explain that the traffic concerned by this opened traffic is not web traffic encapsulated in ssl : it's a ppp connection through ssl. Well, at least that's how you use it for.
I can think of another option : client authentication through ssl certificates. That way your scan won't even reach the HTTP header.
Once again : let us know! :)
Thanks all, for help, i will try to give them this explanation.
By the way we are using certificates, for SSL VPN, but still the scan detects this issue.
Isn't the SSL Client just a wrapper for HTTPS requests to server? If you compare the sslvpn debug of a ssl web gui login and a client login it seems nearly the same?
Salas wrote:By the way we are using certificates, for SSL VPN, but still the scan detects this issue.
Wow. Now I gotta run a packet sniffer and check the behavior! I always thought that if you don't present the proper certificate, the connexion would fail before talking http... :)
Or do you provide a web certificate for the test?
By the way we are using certificates, for SSL VPN
BTW that X-header comes after the SSL negotiation with the client/server hello. Just figure I would point that out.
PCNSE
NSE
StrongSwan
Qualys accepted my explanation, thanks all for help. But i hope fortigate will do something with this issue in next firmare realeses, i also opened ticket in support.
The answer from fortigate support:
"Fix is coming in the next 5.4.7 and 5.6.3"
But there will be no fix for 5.2.x firmwares. So i'll have to upgrade my firealls.
I'm on 5.4.8 and still have same error btw.
Jerry Paul White
Network Engineer/Tech Supervisor
" 01001000 01100001 01110110 01100101 00100000 01100001 00100000 01000111 01101111 01101111 01100100 00100000 01000100 01100001 01111001"
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.