CVE-2017-7337 in FortiPortal
Summary
by MITRE
An improper Access Control vulnerability in Fortinet FortiPortal versions 4.0.0 and below allows an attacker to interact with unauthorized VDOMs or enumerate other ADOMs via another user's stolen session and CSRF tokens or the adomName parameter in the /fpc/sec/customer/policy/getAdomVersion request.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 10/03/2020
The vulnerability described in CVE-2017-7337 represents a critical improper access control flaw within Fortinet FortiPortal devices running versions 4.0.0 and earlier. This weakness stems from insufficient validation of user permissions and session management mechanisms, allowing unauthorized actors to exploit session tokens and cross-site request forgery tokens to access administrative domains they should not be able to reach. The vulnerability specifically targets the /fpc/sec/customer/policy/getAdomVersion endpoint which handles requests for administrative domain version information, creating a pathway for attackers to enumerate and interact with other administrative domains through stolen session data or manipulated adomName parameters.
The technical exploitation of this vulnerability occurs through session hijacking techniques combined with cross-site request forgery token manipulation. Attackers can leverage a stolen session from a legitimate user to make unauthorized requests to the vulnerable endpoint, bypassing normal access controls that should restrict users to their designated administrative domains. The adomName parameter becomes a critical vector for exploitation, as it allows attackers to specify arbitrary administrative domain names in the request, effectively enabling them to probe and access other ADOMs within the same FortiPortal instance. This flaw fundamentally undermines the principle of least privilege and violates the security boundary enforcement that should exist between different administrative domains.
The operational impact of this vulnerability is severe and multifaceted, affecting organizations that rely on FortiPortal for network security management and policy enforcement. An attacker who successfully exploits this vulnerability gains the ability to access sensitive configuration data, policy information, and potentially modify settings across unauthorized administrative domains. This could lead to complete compromise of network security controls, unauthorized access to critical infrastructure, and the ability to manipulate security policies that protect other organizational segments. The vulnerability particularly affects environments where multiple administrative domains are used to isolate different security zones or organizational units, as it undermines the fundamental security isolation provided by these administrative boundaries.
Organizations should immediately implement multiple layers of mitigation strategies to address this vulnerability. The most critical immediate action involves upgrading to FortiPortal versions that have patched this access control flaw, specifically versions 4.0.1 and later which contain the necessary security fixes. Additionally, network administrators should implement strict session management policies including session timeout mechanisms, regular session rotation, and monitoring for anomalous access patterns. The implementation of proper input validation for all parameters, particularly the adomName parameter, should be enforced through web application firewalls and API gateway controls. Organizations should also conduct comprehensive security audits to identify any unauthorized access attempts and establish monitoring procedures to detect potential exploitation attempts through stolen session tokens or CSRF token manipulation. This vulnerability aligns with CWE-285, which addresses improper authorization issues, and represents a clear violation of the ATT&CK technique T1078 for valid accounts and T1566 for credential harvesting, making it a critical concern for enterprise security teams implementing defense-in-depth strategies.