FortiGate default configuration does not verify the LDAP server identity - CVE-2019-5591

I have found a vulnerability in all FortiOS versions, including the current 5.4/5.6/6.0/6.2 branches. The issue has been fixed in 6.0.3/6.2.1 by using the new feature "server-identity-check":
 

The vulnerability is in the LDAPS connection of the FortiGate to a LDAP-Server. The FortiGate does not properly check the certificate sent from the LDAP-Server, allthough the correct CA certificate is configured. More details will be published later.

Fortinet PSIRT-team responded quickly, has acknowledged the issue, told me that some one else also reported the issue, assigned CVE-2019-5591 to it and released the following PSIRT advisory: https://fortiguard.com/psirt/FG-IR-19-037

Solution:


Update to FortiOS 6.0.3+ or 6.2.1+ and set the following option:


config user ldap
edit ldap-server
set server-identity-check enable

 
at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Cribl - Change values to lowerCase

Some logs (e.g. Microsoft Azure) sometimes are not fully normalized to all lowercase characters. You can use Cribl to adjust those values by...