CVE-2019-15706
📋 TL;DR
This vulnerability allows authenticated remote attackers to inject malicious scripts into the SSL VPN portal of affected Fortinet devices. When other users access the compromised portal pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. Affected systems include FortiProxy versions 2.0.0, 1.2.9 and below, and FortiOS versions 6.2.1 and below, 6.0.8 and below, and 5.6.12.
💻 Affected Systems
- FortiProxy
- FortiOS
📦 What is this software?
Fortios by Fortinet
Fortios by Fortinet
Fortios by Fortinet
Fortiproxy by Fortinet
Fortiproxy by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
An attacker could steal VPN credentials, hijack user sessions, redirect users to malicious sites, or perform actions on behalf of authenticated users.
Likely Case
Attackers would steal session cookies or credentials from users accessing the compromised VPN portal, leading to unauthorized VPN access.
If Mitigated
With proper input validation and output encoding, the malicious scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires authenticated access to the VPN portal. Stored XSS means the payload persists and affects multiple users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FortiProxy 2.0.1, 1.2.10; FortiOS 6.2.2, 6.0.9, 5.6.13
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-19-223
Restart Required: Yes
Instructions:
1. Download the appropriate firmware update from Fortinet support portal. 2. Backup current configuration. 3. Apply firmware update through web interface or CLI. 4. Reboot device. 5. Verify version after reboot.
🔧 Temporary Workarounds
Disable SSL VPN portal
allTemporarily disable the SSL VPN portal if not required, using alternative VPN methods.
config vpn ssl settings
set source-interface 'disable'
end
Restrict VPN access
allLimit VPN access to trusted IP ranges and implement strong authentication.
config firewall address
edit 'trusted_ips'
set subnet x.x.x.x y.y.y.y
next
end
config vpn ssl settings
set source-address 'trusted_ips'
end
🧯 If You Can't Patch
- Implement web application firewall (WAF) with XSS protection rules to filter malicious inputs.
- Monitor VPN portal access logs for suspicious activity and implement user behavior analytics.
🔍 How to Verify
Check if Vulnerable:
Check current firmware version against affected versions. Review VPN portal for any unexpected scripts or modifications.Check Version:
get system status | grep VersionVerify Fix Applied:
Verify firmware version is updated to patched versions. Test VPN portal functionality with safe XSS payloads to ensure they are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to VPN portal endpoints with script tags or JavaScript code
- Multiple failed login attempts followed by successful authentication and portal modifications
Network Indicators:
- HTTP requests containing <script> tags or JavaScript events to VPN portal URLs
- Unexpected outbound connections from VPN users to external domains
SIEM Query:
source="fortigate" AND (url="*/remote/login*" OR url="*/portal*") AND (http_method="POST" AND (content="*<script>*" OR content="*javascript:*" OR content="*onload=*"))