CVE-2004-1653 SSH port forwarding exposes unprotected internal services

Summary

An improper access control vulnerability in the admin SSH console of multiple products may allow an authenticated user to access internal only system services via using SSH local port forwarding. A successful attack needs an authenticated admin SSH user to set up a port bounce to product internal only services via SSH local port forwarding; potential consequences are information disclosure and/or privilege escalation.

Affected Products

FortiGate is not impacted. FortiGate is not impacted. FortiSwitch is not impacted. FortiSwitch is not impacted. FortiAnalyzer versions 5.x, 6.2.0 to 6.2.3, 6.0.8 and below FortiAnalyzer versions 5.x, 6.2.0 to 6.2.3, 6.0.8 and below FortiManager versions 5.x, 6.2.0 to 6.2.3, 6.0.8 and below FortiManager versions 5.x, 6.2.0 to 6.2.3, 6.0.8 and below FortiADC versions 5.3.0 through 5.3.4 and 5.2.0 through 5.2.5. FortiADC versions 5.3.0 through 5.3.4 and 5.2.0 through 5.2.5. FortiWAN versions 4.5.7 and below FortiWAN versions 4.5.7 and below FortiAP-S/W2 versions 6.2.3 and below FortiAP-S/W2 versions 6.2.3 and below FortiAP-U versions 6.0.1 and below FortiAP-U versions 6.0.1 and below FortiAP-C versions 5.4.2 and below FortiAP-C versions 5.4.2 and below FortiDDOS versions 5.2.0 and below FortiDDOS versions 5.2.0 and below FortiExtender version 4.2.0 and below FortiExtender version 4.2.0 and below FortiWLC versions 8.5.1 through 8.5.5 FortiWLC versions 8.5.1 through 8.5.5 FortiPortal versions 5.3.2 and below, 5.2.4 and below FortiPortal versions 5.3.2 and below, 5.2.4 and below FortiSIEM versions 5.x, 6.1.x, 6.2.x FortiSIEM versions 5.x, 6.1.x, 6.2.x

Solutions

Please upgrade to FortiAnalyzer versions 6.0.9 or 6.2.4 or 6.4.0 or above Please upgrade to FortiAnalyzer versions 6.0.9 or 6.2.4 or 6.4.0 or above Please upgrade to FortiManager versions 6.0.9 or 6.2.4 or 6.4.0 above Please upgrade to FortiManager versions 6.0.9 or 6.2.4 or 6.4.0 above Please upgrade to FortiADC versions 5.3.5 or 5.2.6 or 5.4.0 or above. Please upgrade to FortiADC versions 5.3.5 or 5.2.6 or 5.4.0 or above. Please upgrade to FortiWAN versions 4.5.8 or above. Please upgrade to FortiWAN versions 4.5.8 or above. Please upgrade to FortiAP-S/W2 versions 6.2.4 or above. Please upgrade to FortiAP-S/W2 versions 6.2.4 or above. Please upgrade to FortiAP-U versions 6.0.2 or above. Please upgrade to FortiAP-U versions 6.0.2 or above. Please upgrade to FortiAP-C versions 5.4.3 or above. Please upgrade to FortiAP-C versions 5.4.3 or above. Please upgrade to FortiDDOS versions 5.2.1 or above. Please upgrade to FortiDDOS versions 5.2.1 or above. Please upgrade to FortiExtender versions 4.2.1 or above. Please upgrade to FortiExtender versions 4.2.1 or above. Please upgrade to FortiWLC versions 8.6.0 or above. Please upgrade to FortiWLC versions 8.6.0 or above. Please upgrade to FortiPortal versions 5.2.5 or 5.3.3 or 6.0.0 or above. Please upgrade to FortiPortal versions 5.2.5 or 5.3.3 or 6.0.0 or above. Please upgrade to FortiSIEM versions 6.3.0 or above. Please upgrade to FortiSIEM versions 6.3.0 or above. Workarounds: Workarounds: isable admin SSH console, or set trusted hosts to restrict admin SSH console access to trusted users, to prevent scenarios where an attacker who acquired valid user accounts via phishing / social engineering uses those to perform this attack. isable admin SSH console, or set trusted hosts to restrict admin SSH console access to trusted users, to prevent scenarios where an attacker who acquired valid user accounts via phishing / social engineering uses those to perform this attack.

Acknowledgement

Fortinet is pleased to thank Renee Trisberg from SpectX ( https://www.spectx.com/ ) for reporting this vulnerability under FortiAnalyzer through responsible disclosure.

References

  • OpenSSH CVE-2004-1653