PSIRT Advisory

FortiOS malformed HTTP or SSL/TLS traffic control

Summary

FortiOS Explicit Web Proxy by default allows non-standard HTTP traffic. 


FortiOS SSL/SSH Inspection Profile by default allows non-standard SSL/TLS traffic.

Impact

Operational Risk, Traffic Bypass

Affected Products

By default, this possible operational risk is applicable to all FortiOS versions.

Solutions

Non standard HTTP traffic can be disallowed with the following CLI commands:


config web-proxy global 

set tunnel-non-http disable (default value "enable")

end 


Non standard SSL/TLS traffic can be disallowed with the following CLI commands:


config firewall ssl-ssh-profile 

edit [profile-name] 

config [protocols]

set ports [port]

set unsupported-ssl block (default value "bypass")

end 

end


Starting from 6.2.1, FortiOS allows administrators to disallow both via the admin WebUI as well:


For Explicit Web Proxy: Network -> Explicit Proxy -> Protocol Enforcement (default is off)


For SSL/SSH Inspection: Security Profiles -> SSL/SSH Inspection ->Enforce SSL Protocol Compliance (default is off)

Acknowledgement

Fortinet thank security research company Praetorian bringing this attention to us with certain proofs.