PSIRT Advisory

FortiGate default configuration does not verify the LDAP server identity.

Summary

A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.

Impact

Information Disclosure

Affected Products

FortiOS 6.2.0 and below.

Solutions

For users running versions 6.0.3 to 6.2.0, enabling the CLI option that checks for LDAP server identity entirely prevents the issue:

 

config user ldap

edit ldap-server

set server-identity-check enable


FortiOS 6.2.1 and above have server-identity-check enabled by default, when installed from scratch.


However, for compatibility reasons, the value of server-identity-check is kept unchanged throughout firmware upgrading. In other words, upgrading from 6.0.3 - 6.2.0 to 6.2.1 and above does not suffice to thwart the issue: server-identity-check must be enabled (prior the upgrade of after, indifferently).

Acknowledgement

Fortinet is pleased to thank James Renken from the Internet Security Research Group and Florian Thiele for bringing this issue to our attention under responsible disclosure.