PSIRT Advisories

ZebOS routing remote shell service enabled

description-logo Description

A remote attacker may access the internal ZebOS shell of FortiOS 5.2.3 without authentication on the HA ("High Availability") dedicated management interface only.
Only FortiGates configured with HA *and* with an enabled HA dedicated management interface are vulnerable.
Note: when a FortiGate is configured to use HA, the dedicated management interface is disabled by default .

Impact Detail

Mitigating factors: A vulnerable custom configuration would require to have HA enabled in the System Config HA menu with the mode setting set to Active-Passive or Active-Active *and* the "Reserve Management Port for Cluster Member" checkbox ticked.
CLI custom HA active-passive configuration example that would be vulnerable:
config system ha
set group-name "TEST"
set mode a-p
set ha-mgmt-status enable
set ha-mgmt-interface "port4"

Affected Products

FortiGate v5.2.3 only.


FortiOS 5.2.3 must be upgraded to FortiOS 5.2.4.
FortiOS 5.2.2 and lower are not affected.
FortiOS 5.0.12 and lower are not affected.
As a workaround the LAN access to the HA interface may be filtered by a transit firewall or not routed.


Thanks to Burda Digital Systems.