ZebOS routing remote shell service enabled
DescriptionA remote attacker may access the internal ZebOS shell of FortiOS 5.2.3 without authentication on the HA ("High Availability") dedicated management interface only.
Only FortiGates configured with HA *and* with an enabled HA dedicated management interface are vulnerable.
Note: when a FortiGate is configured to use HA, the dedicated management interface is disabled by default .
Impact DetailMitigating factors: A vulnerable custom configuration would require to have HA enabled in the System Config HA menu with the mode setting set to Active-Passive or Active-Active *and* the "Reserve Management Port for Cluster Member" checkbox ticked.
CLI custom HA active-passive configuration example that would be vulnerable:
config system ha
set group-name "TEST"
set mode a-p
set ha-mgmt-status enable
set ha-mgmt-interface "port4"
Affected ProductsFortiGate v5.2.3 only.
SolutionsFortiOS 5.2.3 must be upgraded to FortiOS 5.2.4.
FortiOS 5.2.2 and lower are not affected.
FortiOS 5.0.12 and lower are not affected.
As a workaround the LAN access to the HA interface may be filtered by a transit firewall or not routed.