Product Description

FortiWeb is a Web Application Firewall (WAF) produced by the Fortinet company. It enables users to set security filters between unsecured networks and Web applications.

Official website: https://www.fortinet.com/products/application-security/fortiweb.html

Details

Access Vector: remote

Security Risk: low

Vulnerability: CWE-200

CVSS Base Score: 4.9

CVSS vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C

Vulnerabiltiy description

The FortiWeb appliance discloses the SNMP version 3 user's password. The web page displayed by the appliance contains the password in clear-text.

Thus, an administrator with at least a read-only access would be able to retrieve it.

Exploitation

To obtain this password, just navigate in the administration panel : system -> config -> SNMP -> edit SNMPv3 user.

Reading the html source code of the page reveals the password of the SNMP user.

SNMP password disclosure in source code

Affected version

  • FortiWeb 5.8.2 and below until 5.4.1

Solution

Upgrade to FortiWeb version 5.8.3

References

Timeline (dd/mm/yyyy)

  • 03/05/2017 : Initial discovery
  • 05/06/2017 : First contact with customer support
  • 23/06/2017 : Reply from PSIRT team
  • 27/06/2017 : Providing all details to the PSIRT team
  • 28/06/2017 : Acknoledgment by Fortinet PSIRT team, registering of CVE-2017-7737 and fix scheduling for version 5.8.3
  • 12/08/2017 : Publication of the Fortinet PSIRT advisory
  • 20/11/2017 : Sysdream publication

(Congratulations to the Fortinet team for the very professional and quick handling of this issue)

Credits

  • Florian NIVETTE, Sysdream (f.nivette -at- sysdream -dot- com)