Flaws in FortiMail IBE Appliances Allow Hackers to Hijack Admin Sessions
The security holes have been addressed by Fortinet with the release of FortiMail 4.3.4
Experts from German security firm Vulnerability Lab have identified input filter bypass and exception handling vulnerabilities in several FortiMail IBE appliances. FortiMail IBE 200D, 400C, VM2000, 2000B and 5002B are impacted.Cybercriminals could leverage the vulnerabilities to hijack administrator or customer sessions and gain access to sensitive information.
“The first vulnerability is located in the parse module with the bound vulnerable exception-handling and vulnerable effect on all input fields,” reads the advisory provided by Vulnerability Lab to Softpedia.
“The vulnerability allows an attacker to bypass the input parse routine by an implement of 2 close tags, which results in the execution of the secound injected script code with a space between,” the advisory continues.
“The secound vulnerability is located in the import/upload certificate module with the bound vulnerable certificate name and information parameters. An attacker can implement own certificates with script code in the malicious name and information values. After the upload the persistent code get executed out of the certificate listing main module.”
The security holes have been reported to Fortinet back in September 2012 and the company fixed the vulnerabilities with the release of FortiMail 4.3.4 and FortiMail 5.0.0. The fix has been coordinated by the Product Security Incident Response Team (PSIRT) in cooperation with Fortinet.
Since the risk associated with these types of vulnerabilities is high, Fortinet advises customers to upgrade their appliances in order to close the attack vectors.
Technical aspects and a complete proof of concept are available here. Vulnerability Lab has also published a POC video which shows how the filter mechanism of the FortiMail appliance can be bypassed to execute persistent malicious code.