Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Manish_NCS
New Contributor

Improper authorization for HA requests

Improper authorization for HA requests

i want to know about below vulnerability 

Summary

An improper privilege management vulnerability [CWE-269] in a FortiOS & FortiProxy HA cluster may allow an authenticated attacker to perform elevated actions via crafted HTTP or HTTPS requests.

 

how to mitigate this ?

is this applicable to all the Fortigate FW

how to check if this is affecting for my network or not. ?

 

https://www.fortiguard.com/psirt/FG-IR-23-315 

 

this is the link which i receive from Fortigate. 

9 REPLIES 9
AEK
Honored Contributor II

This is a vulnerability on FOS 7.2.5, 7.4.0 and 7.4.1.

To fix it you just have to update your FOS to 7.2.6 or 7.4.2.

AEK
AEK
Manish_NCS
New Contributor

which one is the best and stable version 7.2.6 or 7.4.2

because if i upgrade 7.2.6 and after one month's again would be another like 7.2.7 correct?

 

so, what about 7.4.2 because this would be major upgrade right from 7.2.5 to 7.4.2 so later it will cover all the version which are between 7.2.6 to 7.4.2 correct ?

AEK
Honored Contributor II

First, check the release notes of both 7.2.6 and 7.4.2.

  • If you see that you don't need the new features that are available in 7.4.x, then I think it is better to stay at 7.2.6. Once 7.2.7 is released then update your FW again
  • In case you really need the new features that are available in 7.4.x, then go for 7.2.4

Personally I stay at 7.0.13 since it is more mature than the two above, and also because I don't need extra features at the moment.

AEK
AEK
hbac
Staff
Staff

Hi @Manish_NCS,

 

As AEK suggested, you just need to upgrade the firmware version to 7.2.6 or 7.4.2. You can disable all web administrative interface (HTTP or HTTPS) from external network for mitigation. 

 

Regards, 

Manish_NCS

how i can perform this task. can you please let me know. 

 

You can disable all web administrative interface (HTTP or HTTPS) from external network for mitigation. 

 

mean to say how to disable http or https. ? from external network

hbac

@Manish_NCS

 

I mean you can disable HTTPS administrative access on your WAN interface. You can refer to https://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/582009/system-administra...

 

Regards,

AEK
Honored Contributor II

As recommended by @hbac , I'd also suggest to disable admin access on WAN interfaces, even if you have patched all your vulnerabilities.

AEK
AEK
Yen
New Contributor

My FGVM using version 5.2 and 5.4。

 

Do I need upgrade?

AEK
Honored Contributor II

@Yen, your FG seems not affected by this vulnerability, however you still need to upgrade, as 5.x is not patched anymore.since long time.

AEK
AEK
Labels
Top Kudoed Authors