PSIRT Advisory

FortiOS XSS vulnerabilities via User Groups & Config Revision Comments

Summary

Two XSS vulnerabilities were reported to us affecting FortiOS that can be exploited to load and run a remote (malicious) Javascript in a logged in browser.


The vulnerable input fields are

  • the "Comments" input while saving Configuration Revisions (CVE-2017-7734)
  • the "Groups" input while creating or editing User Groups (CVE-2017-7735)

Impact

Execute unauthorized code or commands

Affected Products

  • CVE-2017-7734: FortiOS versions 5.4.0 to 5.4.4
  • CVE-2017-7735: FortiOS versions 5.2.0 to 5.4.4

Solutions

  • CVE-2017-7734: Upgrade to FortiOS 5.4.5 or 5.6.0
  • CVE-2017-7735: Upgrade to FortiOS 5.2.12, 5.4.5 or 5.6.0

Workarounds

  • CVE-2017-7734 : Under System > Admin Profiles, edit the concerned profile(s) and set Access Control for "Maintenance" to "Read-Only"
  • CVE-2017-7735 : Under System > Admin Profiles, edit the concerned profile(s) and set Access Control for "User & Device" to "Read-Only"
  • Trusthosts can also be configured if the source IP addresses of trusted administrators are known.

Acknowledgement

Fortinet is pleased to thank Walmart's ISD Enterprise Security Testing (EST) Team for reporting this vulnerability under responsible disclosure.