CVE-2019-6697
📋 TL;DR
This vulnerability allows an unauthenticated attacker on the same network as a FortiGate firewall to inject malicious scripts via crafted DHCP packets. The attack targets the DHCP monitor page's hostname parameter, enabling stored cross-site scripting (XSS). Affected systems include FortiGate firewalls running vulnerable firmware versions.
💻 Affected Systems
- FortiGate
📦 What is this software?
Fortios by Fortinet
Fortios by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
An attacker could execute arbitrary JavaScript in the context of an administrator's session, potentially stealing credentials, performing administrative actions, or compromising the firewall management interface.
Likely Case
Attackers could hijack administrator sessions, steal authentication cookies, or redirect administrators to malicious sites to harvest credentials.
If Mitigated
With proper network segmentation and access controls, the attack surface is limited to internal networks, reducing exposure to trusted users only.
🎯 Exploit Status
Exploitation requires network access to send crafted DHCP packets. No authentication is needed, making this accessible to any internal attacker.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FortiOS 6.2.2 or 6.0.7 and later
Vendor Advisory: https://fortiguard.com/advisory/FG-IR-19-184
Restart Required: Yes
Instructions:
1. Download the patched firmware version from Fortinet support portal. 2. Backup current configuration. 3. Upload and install the new firmware via GUI or CLI. 4. Reboot the FortiGate to complete installation.
🔧 Temporary Workarounds
Disable DHCP Monitoring
allTemporarily disable DHCP monitoring to prevent exploitation via the vulnerable parameter.
config system dhcp server
edit <interface>
set dhcp-snooping disable
end
Restrict Network Access
allImplement network segmentation to limit which devices can send DHCP packets to the FortiGate.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the FortiGate management interface from untrusted networks.
- Use web application firewalls (WAF) or input validation rules to block malicious script injection in DHCP parameters.
🔍 How to Verify
Check if Vulnerable:
Check FortiOS version via GUI (System > Dashboard) or CLI command 'get system status'. If version is between 6.2.0-6.2.1 or 6.0.0-6.0.6, the system is vulnerable.Check Version:
get system status | grep VersionVerify Fix Applied:
After patching, verify the FortiOS version is 6.2.2+ or 6.0.7+ and test DHCP packet injection attempts are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual DHCP packets with long or script-like hostname parameters in FortiGate logs
- Multiple failed login attempts following DHCP events
Network Indicators:
- DHCP packets containing JavaScript or HTML tags in hostname field
- Unusual traffic to FortiGate management interface from internal hosts
SIEM Query:
source="fortigate" (dhcp AND hostname AND (script OR javascript OR <script>))