FortiGate default configuration does not verify the LDAP server identity - CVE-2019-5591

I have found a vulnerability in all FortiOS versions, including the current 5.4/5.6/6.0/6.2 branches. The issue has been fixed in 6.0.3/6.2.1 by using the new feature "server-identity-check":
 

The vulnerability is in the LDAPS connection of the FortiGate to a LDAP-Server. The FortiGate does not properly check the certificate sent from the LDAP-Server, allthough the correct CA certificate is configured. More details will be published later.

Fortinet PSIRT-team responded quickly, has acknowledged the issue, told me that some one else also reported the issue, assigned CVE-2019-5591 to it and released the following PSIRT advisory: https://fortiguard.com/psirt/FG-IR-19-037

Solution:

Update to FortiOS 6.0.3+ or 6.2.1+ and set the following option:


config user ldap
edit ldap-server
set server-identity-check enable

 

Migrate nextcloud v15 with mariadb database to nextcloud v16 with postgresql

If you are running nextcloud v15 with mariadb and want to upgrade from nextcloud version 16, then you have to migrate the database from mariadb to postgresql.

This can be done using the following commands, which I adjusted for ubuntu 16.04 and is originally from the following site: https://www.techandme.se/we-migrated-to-postgresql/
 

#!/bin/bash

## Convert to PostgreSQL ##
# Tested on Ubuntu Server 16.04
# Make sure you have a full backup of your nextcloud installation


# Make sure only root can run our script
if [[ $EUID -ne 0 ]]; then
 echo "This script must be run as root, please type sudo -i and run it again." 1>&2
 exit 1
fi

service apache2 stop

. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)

NCUSER=pgsql_user_nextcloud

# Install PostgreSQL
apt update
check_command apt install postgresql-9.5

# Create DB
cd /tmp || exit
sudo -u postgres psql <<END
CREATE USER $NCUSER WITH PASSWORD '$PGDB_PASS';
CREATE DATABASE nextcloud_db WITH OWNER $NCUSER TEMPLATE template0 ENCODING 'UTF8';
END
check-command service postgresql restart

# Convert DB
sudo -u www-data php /var/www/nextcloud/occ db:convert-type --all-apps --password "$PGDB_PASS" pgsql $NCUSER 127.0.0.1 nextcloud_db
sudo -u www-data php /var/www/nextcloud/occ maintenance:repair

# Remove MySQL / MariaDB
read -p "Are you sure you want to remove MySQL?" -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]
then
    apt clean
    apt update
    dpkg -r mariadb-client-10.2
    dpkg -r mariadb-server-10.2
    dpkg -r libmysqlclient20:i386
    dpkg -r libmysqlclient20:amd64
    dpkg -r libmysqlclient18:amd64
    dpkg -r mysql
    apt purge mysql\* libmysql\* libmariadb\*
    apt autoremove -y
    rm -R /var/lib/mysql /var/lib/mysql-files /var/lib/mysql-keyring /var/mysql-upgrade /etc/mysql /var/lib/mysql
fi

# Remove mysql.utf8mb4
if grep -q "mysql.utf8mb4" /var/www/nextcloud/config/config.php
then
sed -i "s|'mysql.utf8mb4' => true,||g" /var/www/nextcloud/config/config.php
sed '/^\s*$/d' /var/www/nextcloud/config/config.php
fi

# Show password
echo "Your new PostgreSQL password is: $PGDB_PASS. It's also written in your Nextcloud config.php file."

# Start Apache2
echo "Apache will start in 30 seconds... Press CTRL+C to abort."
sleep 30
service apache2 start

# Fetch the correct update script
if [ -f "$SCRIPTS"/update.sh ]
then
 rm "$SCRIPTS"/update.sh
 wget https://raw.githubusercontent.com/nextcloud/vm/master/static/update.sh -P "$SCRIPTS"
 chmod +x "$SCRIPTS"/update.sh
fi

exit

Testing FortiGate FortiOS nested adress object groups

Sometimes it is useful to know, if a device really supports nested groups. This little test shows, that a Fortinet FortiGate 60D running FortiOS 5.6 actually supports an address object, which is nested into five different groups:

address object "h-192.168.2.2" is in group "srcgrp05"
address object group "srcgrp05" is in group "srcgrp04"
address object group "srcgrp04" is in group "srcgrp03"
address object group "srcgrp03" is in group "srcgrp02"
address object group "srcgrp02" is in group "srcgrp01"
address object group "srcgrp01" is used in firewall policy with id 10:

srcgrp01/
├──srcgrp02/
│   └──  srcgrp03/
│       └──  srcgrp04/
│           └── srcgrp05/
│               └── h-192.168.2.2/

dstgrp01/
├──dstgrp02/
│   └──  dstgrp03/
│       └──  dstgrp04/
│           └── dstgrp05/
│               └── h-172.16.0.182/ 

Firewall policy 10 uses srcgrp1 and dstgrp05 (by mistake, should have been dstgrp01)

Config:

config firewall address
    edit "h-192.168.2.2"
        set subnet 192.168.2.2 255.255.255.255
    next
    edit "h-172.16.0.182"
        set subnet 172.16.0.182 255.255.255.255
    next
end

config firewall addrgrp
    edit "srcgrp05"
        set member "h-192.168.2.2"
    next
   edit "srcgrp04"
        set member "srcgrp05"
    next
    edit "srcgrp03"
        set member "srcgrp04"
    next
    edit "srcgrp02"
        set member "srcgrp03"
    next
    edit "srcgrp01"
        set member "srcgrp02"
    next
    edit "dstgrp05"
        set member "h-172.16.0.182"
    next
    edit "dstgrp04"
        set member "dstgrp05"
    next
    edit "dstgrp03"
        set member "dstgrp04"
    next
    edit "dstgrp02"
        set member "dstgrp03"
    next
    edit "dstgrp01"
        set member "dstgrp02"
    next
end

config firewall policy
    edit 10
        set srcintf "internal3"
        set dstintf "wan1"
        set srcaddr "srcgrp01"
        set dstaddr "dstgrp05"
        set action accept
        set schedule "always"
        set service "SSH"
        set logtraffic all
        set fsso disable
        set nat enable
    next
end  

Test using diag debug flow:

FGT60D123456789 # id=20085 trace_id=4 func=print_pkt_detail line=5455 msg="vd-root received a packet(proto=6, 192.168.2.2:58871->172.16.0.182:22) from internal3. flag [S], seq 1083753677, ack 0, win 64240"
id=20085 trace_id=4 func=init_ip_session_common line=5614 msg="allocate a new session-0005ea9f"
id=20085 trace_id=4 func=vf_ip4_route_input line=1604 msg="find a route: flags=00000000 gw-172.16.0.182 via wan1"
id=20085 trace_id=4 func=fw_forward_handler line=746 msg="Allowed by Policy-10: SNAT"
id=20085 trace_id=4 func=__ip_session_run_tuple line=3284 msg="SNAT 192.168.2.2->172.16.255.254:58871"
id=20085 trace_id=5 func=print_pkt_detail line=5455 msg="vd-root received a packet(proto=6, 172.16.0.182:22->172.16.255.254:58871) from wan1. flag [S.], seq 3921820808, ack 1083753678, win 29200"
id=20085 trace_id=5 func=resolve_ip_tuple_fast line=5530 msg="Find an existing session, id-0005ea9f, reply direction"
id=20085 trace_id=5 func=__ip_session_run_tuple line=3298 msg="DNAT 172.16.255.254:58871->192.168.2.2:58871"
id=20085 trace_id=5 func=vf_ip4_route_input line=1604 msg="find a route: flags=00000000 gw-192.168.2.2 via internal3"
id=20085 trace_id=5 func=npu_handle_session44 line=919 msg="Trying to offloading session from wan1 to internal3, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x00000000"
id=20085 trace_id=5 func=ip_session_install_npu_session line=270 msg="npu session intallation succeeded"
id=20085 trace_id=6 func=print_pkt_detail line=5455 msg="vd-root received a packet(proto=6, 192.168.2.2:58871->172.16.0.182:22) from internal3. flag [.], seq 1083753678, ack 3921820809, win 1026"
id=20085 trace_id=6 func=resolve_ip_tuple_fast line=5530 msg="Find an existing session, id-0005ea9f, original direction"
id=20085 trace_id=6 func=npu_handle_session44 line=919 msg="Trying to offloading session from internal3 to wan1, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x00002000"
id=20085 trace_id=6 func=ip_session_install_npu_session line=270 msg="npu session intallation succeeded"
id=20085 trace_id=6 func=__ip_session_run_tuple line=3284 msg="SNAT 192.168.2.2->172.16.255.254:58871"
id=20085 trace_id=7 func=print_pkt_detail line=5455 msg="vd-root received a packet(proto=6, 172.16.0.182:22->172.16.255.254:58871) from wan1. flag [F.], seq 3921820867, ack 1083753680, win 229"
id=20085 trace_id=7 func=resolve_ip_tuple_fast line=5530 msg="Find an existing session, id-0005ea9f, reply direction"
id=20085 trace_id=7 func=__ip_session_run_tuple line=3298 msg="DNAT 172.16.255.254:58871->192.168.2.2:58871"
id=20085 trace_id=7 func=npu_handle_session44 line=919 msg="Trying to offloading session from wan1 to internal3, skb.npu_flag=00000000 ses.state=00010204 ses.npu_state=0x00003000"
id=20085 trace_id=8 func=print_pkt_detail line=5455 msg="vd-root received a packet(proto=6, 192.168.2.2:58871->172.16.0.182:22) from internal3. flag [F.], seq 1083753680, ack 3921820868, win 1026"
id=20085 trace_id=8 func=resolve_ip_tuple_fast line=5530 msg="Find an existing session, id-0005ea9f, original direction"
id=20085 trace_id=8 func=npu_handle_session44 line=919 msg="Trying to offloading session from internal3 to wan1, skb.npu_flag=00000000 ses.state=00010204 ses.npu_state=0x00003000"
id=20085 trace_id=8 func=__ip_session_run_tuple line=3284 msg="SNAT 192.168.2.2->172.16.255.254:58871" 

Result

The working with an address object, which is nested in 5 address object groups works.