FortiOS - Bypassing FortiGate security profiles via SNI in Client Hello

Summary

An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiOS may allow a privileged attacker to disclose sensitive information via SNI Client Hello TLS packets.

Affected Products

All FortiOS versions are impacted by this vulnerability.

Solutions

Given that there is no systematic way to detect all exfiltration attempts and to exhaustively enumerate all possibilities offered by exfiltration channels, Fortinet has addressed the issue by releasing a set of IPS signatures:

  1. Python/SNICat.A!exploit https://www.fortiguard.com/encyclopedia/virus/10069638
  2. SNIcat.Data.Exfiltration.Tool https://www.fortiguard.com/encyclopedia/ips/50952