Vulnerability: Auto Firmware Installed enabled in the firewall configuration. Insecure Firewall Configuration
Description: If FortiGate Firewall configuration is not as per best practice, by using USB key to upgrade and restore firmware. During the console review it was found that USB Auto Installed is enabled by default. Using auto install functionality, it is possible to update the firmware on firewall reboot. If firewall reboot then will make it productivity down. This miss configuration may count as vulnerability.
Impact: USB Auto Install allows an attacker to load the malicious firmware on start up or booting of the firewall. Malicious firmware and configuration could open doors for an attacker to enter the organization.
Solution:
USB auto install should be disabled when not in use. Over the air firmware upgrade is recommended.
Apply this order to design automated establishment of firmware and framework setup from a USB key when the FortiGate unit restarts. This direction is accessible just on units that have a USB key link.
Below step to procedure of disable USB key or enable
Go to System > Maintenance > Advanced > USB auto-install > Enable
If USB install enable FortiOS will automatically install firmware if filename is found in USB stick.
config system auto-install
set auto-install-config enable
set auto-install-image enable
set default-config-file “Fortigate_netsecaddcit.conf”
set default-image-file “Fgt_30E.out”
end
Go to System > Maintenance > Advanced > USB auto-install > Enable
We recommended to disable USB auto install firmware to avoid vulnerability.
config system auto-install
set auto-install-config disable
set auto-install-image disable
set default-config-file “Fortigate_netsecaddcit.conf”
set default-image-file “Fgt_30E.out”
end
Leave a Reply