ZebOS routing remote shell service enabled
Description
A remote attacker may access the internal ZebOS shell of FortiOS 5.2.3 without authentication on the HA ("High Availability") dedicated management interface only.Only FortiGates configured with HA *and* with an enabled HA dedicated management interface are vulnerable.
Note: when a FortiGate is configured to use HA, the dedicated management interface is disabled by default .
Impact Detail
Mitigating factors: A vulnerable custom configuration would require to have HA enabled in the System Config HA menu with the mode setting set to Active-Passive or Active-Active *and* the "Reserve Management Port for Cluster Member" checkbox ticked.CLI custom HA active-passive configuration example that would be vulnerable:
config system ha
set group-name "TEST"
set mode a-p
set ha-mgmt-status enable
set ha-mgmt-interface "port4"
end
Affected Products
FortiGate v5.2.3 only.Solutions
FortiOS 5.2.3 must be upgraded to FortiOS 5.2.4.FortiOS 5.2.2 and lower are not affected.
FortiOS 5.0.12 and lower are not affected.
As a workaround the LAN access to the HA interface may be filtered by a transit firewall or not routed.