Critical Fortinet Vulnerability Allows Attackers to Bypass FortiCloud SSO Authentication
Fortinet has recently disclosed a critical security vulnerability affecting several of its products, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. This flaw, identified as an Improper Verification of Cryptographic Signature (CWE-347), enables unauthenticated attackers to bypass FortiCloud Single Sign-On (SSO) authentication, potentially granting them unauthorized administrative access to affected devices.
Understanding the Vulnerability
The core issue lies in the improper verification of signatures within Security Assertion Markup Language (SAML) messages. SAML is a standard protocol used for exchanging authentication and authorization data between parties, particularly in web-based applications. In this case, Fortinet’s products fail to adequately verify the cryptographic signatures in SAML messages, allowing attackers to craft malicious SAML responses that can bypass the FortiCloud SSO login mechanism.
This vulnerability is particularly concerning because it does not require prior authentication. An attacker can exploit this flaw remotely without needing valid credentials, making it a significant threat to organizations using these Fortinet products.
Affected Products and Versions
The vulnerability impacts the following Fortinet products and versions:
– FortiOS:
– Versions 7.6.0 through 7.6.3
– Versions 7.4.0 through 7.4.8
– Versions 7.2.0 through 7.2.11
– Versions 7.0.0 through 7.0.17
– FortiProxy:
– Versions 7.6.0 through 7.6.3
– Versions 7.4.0 through 7.4.10
– Versions 7.2.0 through 7.2.14
– Versions 7.0.0 through 7.0.21
– FortiSwitchManager:
– Versions 7.2.0 through 7.2.6
– Versions 7.0.0 through 7.0.5
– FortiWeb:
– Version 8.0.0
– Versions 7.6.0 through 7.6.4
– Versions 7.4.0 through 7.4.9
It’s important to note that the FortiCloud SSO login feature is not enabled by default. However, during device registration to FortiCare via the graphical user interface (GUI), the Allow administrative login using FortiCloud SSO option is toggled on by default. Unless administrators explicitly disable this feature during registration, the device becomes susceptible to this authentication bypass vulnerability.
Mitigation and Recommended Actions
Fortinet has released patches to address this critical vulnerability. Organizations are strongly advised to upgrade to the latest versions as outlined below:
– FortiOS:
– Upgrade to version 7.6.4 or above
– Upgrade to version 7.4.9 or above
– Upgrade to version 7.2.12 or above
– Upgrade to version 7.0.18 or above
– FortiProxy:
– Upgrade to version 7.6.4 or above
– Upgrade to version 7.4.11 or above
– Upgrade to version 7.2.15 or above
– Upgrade to version 7.0.22 or above
– FortiSwitchManager:
– Upgrade to version 7.2.7 or above
– Upgrade to version 7.0.6 or above
– FortiWeb:
– Upgrade to version 8.0.1 or above
– Upgrade to version 7.6.5 or above
– Upgrade to version 7.4.10 or above
For organizations unable to apply the patches immediately, a temporary workaround is available. Administrators can mitigate the risk by disabling the FortiCloud SSO login feature. This can be done by accessing the device’s administrative settings and toggling off the Allow administrative login using FortiCloud SSO option.
Broader Implications and Security Best Practices
This vulnerability underscores the importance of rigorous security practices, especially concerning authentication mechanisms. Single Sign-On (SSO) systems are designed to simplify user authentication across multiple applications, but they can become single points of failure if not properly secured.
Organizations should consider the following best practices to enhance their security posture:
1. Regular Software Updates: Ensure that all software and firmware are kept up to date with the latest security patches.
2. Disable Unnecessary Features: Review and disable features that are not in use to reduce the attack surface.
3. Implement Multi-Factor Authentication (MFA): Adding an extra layer of authentication can help prevent unauthorized access, even if credentials are compromised.
4. Monitor and Audit Logs: Regularly review access logs to detect any unusual or unauthorized activities.
5. Conduct Security Training: Educate employees and administrators about potential security threats and the importance of following security protocols.
By promptly addressing this vulnerability and adhering to these best practices, organizations can significantly reduce the risk of unauthorized access and potential data breaches.
