虚拟补丁

该功能在FortiOS 7.2.4及以后版本支持。

虚拟补丁介绍

虚拟补丁(Virtual Patch)是通过使用FortiGate的IPS Engine阻止已知漏洞来减轻漏洞攻击的方法。可以用在攻击目标为FortiGate自身的情况下,方法是使用FortiGate入接口上的Local-in Policy将FMWP(Firmware Virtual Patch)数据库应用到接口上。例如可以使用从FortiGuard推送的FMWP数据库来减轻针对GUI和SSL VPN的攻击,从而暂时地修补这些漏洞。

适用场景

适用于FortiGate自身存在漏洞,但暂时无法升级固件的情况(比如承载重要业务,短时间内不能升级重启)。当然,虚拟补丁只是权宜之计,最终仍然是推荐升级版本来解决漏洞问题。

实现原理

当在Local-in Policy中启用虚拟补丁时,IPS Engine会查询FortiGuard服务器,并执行如下动作:

  • 获取针对当前FortiGate固件版本的漏洞列表。
  • 根据Local-in会话中的服务(协议和端口号),确定流向FortiGate上本地入接口的会话是否需要扫描。目前,仅可以检查SSL VPN和Web GUI的本地流量。
  • 如果经过检查,匹配Local-in Policy的会话所属功能没有包含在该FortiOS版本漏洞的功能类型中,则IPS Engine会绕过该会话(例如IPS Engine从FortiGuard获取的当前固件版本的漏洞只有关于SSL VPN的漏洞,没有关于GUI的漏洞,那么IPS Engine会自动Bypass所有GUI访问的Local-in会话流量)。IPS Engine仅扫描和丢弃可能正在利用漏洞的会话来优化性能。

配置方法

config firewall local-in-policy 
    edit <id>
        set action accept
        set virtual-patch {enable | disable}
    next
end

配置步骤

举例1

虚拟补丁查询FortiGuard,此FortiOS版本只存在SSL VPN漏洞。IPS Engine会丢弃到FortiGate本地接口的SSL VPN的攻击流量,并绕过Web GUI流量。

  1. 首先需要FortiGate具有FMWP License。

    FW4_FGT61F_Left # diagnose autoupdate versions | grep FMWP -A 6
    FMWP Definitions
    ---------
    Version: 24.00013 signed
    Contract Expiry Date: Fri Feb  2 2024
    Last Updated using scheduled update on Thu Feb  1 02:18:21 2024
    Last Update Attempt: Thu Feb  1 16:48:12 2024
    Result: No Updates
    
  2. 在FortiGate的公网接口上,配置Local-in Policy,动作为accept,开启虚拟补丁,Service选择HTTPS和SSL VPN的端口(Service请根据您的FortiGate配置的HTTPS和SSL VPN端口来配置)。

    config firewall local-in-policy
        edit 1
            set intf "port2"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set service "HTTPS" "SSL_VPN_10443"
            set schedule "always"
            set virtual-patch enable
        next
    end
    
  3. 查看当前虚拟补丁从FortiGuard获取的漏洞信息,只包含SSL VPN漏洞,不包含GUI访问漏洞(7.4版本的CLI为diagnose ips vpatch fmwp-status)。

    FortiGate # diagnose ips vpatch status 
    Enabled FMWP signatures: 1
    
      10002887 FortiOS.SSL-VPN.Heap.Buffer.Overflow.
    
  4. 针对此漏洞进行攻击,攻击流量被IPS Engine拦截,如下为攻击的IPS拦截日志,GUI访问流量被IPS Engine bypass,不会产生IPS日志。

    1: date=2023-11-07 time=14:53:44 eventtime=1699325624346021995 tz="+1200" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="critical" srcip=10.1.100.22 srccountry="Reserved" dstip=10.1.100.1 dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" sessionid=284 action="dropped" proto=6 service="HTTPS" policyid=1 attack="FortiOS.SSL-VPN.Heap.Buffer.Overflow." srcport=53250 dstport=11443 hostname="myfortigate.example" url="/error" httpmethod="POST" direction="outgoing" attackid=10002887 ref="http://www.fortinet.com/ids/VID10002887" incidentserialno=99614721 msg="vPatch: FortiOS.SSL-VPN.Heap.Buffer.Overflow." crscore=50 craction=4096 crlevel="critical"
    

举例2

虚拟补丁查询FortiGuard,此FortiOS版本只存在GUI访问漏洞。IPS Engine会丢弃到FortiGate本地接口的GUI访问的攻击流量,并绕过SSL VPN流量。

  1. 在FortiGate的公网接口上,配置Local-in Policy,动作为accept,开启虚拟补丁,Service选择HTTPS和SSL VPN的端口(Service请根据您的FortiGate配置的HTTPS和SSL VPN端口来配置)。

    config firewall local-in-policy
        edit 1
            set intf "port2"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set service "HTTPS" "SSL_VPN_10443"
            set schedule "always"
            set virtual-patch enable
        next
    end
    
  2. 查看当前虚拟补丁从FortiGuard获取的漏洞信息,只包含SSL VPN漏洞,不包含GUI访问漏洞(7.4版本的CLI为diagnose ips vpatch fmwp-status)。

    FortiGate # diagnose ips vpatch status 
    Enabled FMWP signatures: 2
    
      10002156 FortiOS.NodeJS.Proxy.Authentication.Bypass.
      10002890 FortiOS.HTTPD.Content-Length.Memory.Corruption.
    
  3. 针对此漏洞进行攻击,攻击流量被IPS Engine拦截,如下为攻击的IPS拦截日志,SSL VPN访问流量被IPS Engine bypass,不会产生IPS日志。

    1: date=2023-11-07 time=14:55:15 eventtime=1699325715311370215 tz="+1200" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="critical" srcip=10.1.100.22 srccountry="Reserved" dstip=10.1.100.1 dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" sessionid=304 action="dropped" proto=6 service="HTTPS" policyid=1 attack="FortiOS.NodeJS.Proxy.Authentication.Bypass." srcport=53622 dstport=443 hostname="127.0.0.1:9980" url="/api/v2/cmdb/system/admin" agent="Node.js" httpmethod="GET" direction="outgoing" attackid=10002156 ref="http://www.fortinet.com/ids/VID10002156" incidentserialno=99614722 msg="vPatch: FortiOS.NodeJS.Proxy.Authentication.Bypass." crscore=50 craction=4096 crlevel="critical"
    

举例3

虚拟补丁查询FortiGuard,此FortiOS版本同时存在GUI访问漏洞和SSL VPN漏洞。IPS Engine会丢弃到FortiGate本地接口的GUI访问的攻击流量,并绕过SSL VPN流量。

  1. 在FortiGate的公网接口上,配置Local-in Policy,动作为accept,开启虚拟补丁,Service选择HTTPS和SSL VPN的端口(Service请根据您的FortiGate配置的HTTPS和SSL VPN端口来配置)。

    config firewall local-in-policy
        edit 1
            set intf "port2"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set service "HTTPS" "SSL_VPN_10443"
            set schedule "always"
            set virtual-patch enable
        next
    end
    
  2. 查看当前虚拟补丁从FortiGuard获取的漏洞信息,同时包含SSL VPN漏洞和GUI访问漏洞(7.4版本的CLI为diagnose ips vpatch fmwp-status)。

    FortiGate # diagnose ips vpatch status 
    Enabled FMWP signatures: 3
    
      10002156 FortiOS.NodeJS.Proxy.Authentication.Bypass.
      10002887 FortiOS.SSL-VPN.Heap.Buffer.Overflow.
      10002890 FortiOS.HTTPD.Content-Length.Memory.Corruption.
    
  3. 针对这些漏洞进行攻击,攻击流量被IPS Engine拦截,如下为攻击的IPS拦截日志,SSL VPN和GUI访问流量均会产生IPS日志。

    1: date=2023-11-07 time=06:42:44 eventtime=1699296164649894963 tz="+1200" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="critical" srcip=10.1.100.22 srccountry="Reserved" dstip=10.1.100.1 dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" sessionid=1094 action="dropped" proto=6 service="HTTPS" policyid=1 attack="FortiOS.SSL-VPN.Heap.Buffer.Overflow." srcport=44164 dstport=10443 hostname="myfortigate.example" url="/error" httpmethod="POST" direction="outgoing" attackid=10002887 ref="http://www.fortinet.com/ids/VID10002887" incidentserialno=116392250 msg="vPatch: FortiOS.SSL-VPN.Heap.Buffer.Overflow." crscore=50 craction=4096 crlevel="critical"
    
    2: date=2023-11-07 time=06:42:09 eventtime=1699296129458704870 tz="+1200" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="critical" srcip=10.1.100.22 srccountry="Reserved" dstip=10.1.100.1 dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" sessionid=1066 action="dropped" proto=6 service="HTTPS" policyid=1 attack="FortiOS.NodeJS.Proxy.Authentication.Bypass." srcport=42352 dstport=443 hostname="127.0.0.1:9980" url="/api/v2/cmdb/system/admin" agent="Node.js" httpmethod="GET" direction="outgoing" attackid=10002156 ref="http://www.fortinet.com/ids/VID10002156" incidentserialno=116392236 msg="vPatch: FortiOS.NodeJS.Proxy.Authentication.Bypass." crscore=50 craction=4096 crlevel="critical"
    

其他CLI命令

通过CLI查询特定版本的漏洞信息。

FortiGate # diagnose wad dev-vuln query vendor=fortinet&version=7.2.5&product=fortios
Dev-Vuln Lookup result: success, cache: found, fgd: unknown, item: 0x7fb474e0b4a0
Vulnerability details: 
info entry (1):
        'vendor' = fortinet
       'product' = fortios
         'model' = N/A
   'version.min' = 7.2.0
   'version.max' = 7.2.5
      'firmware' = N/A
         'build' = N/A
    'date_added' = 2023-08-22T13:09:11
  'date_updated' = 2023-08-22T13:09:11
        'sig_id' = 10004065
       'vuln_id' = 918630
      'severity' = 3
...

Copyright © 2024 Fortinet Inc. All rights reserved. Powered by Fortinet TAC Team.
📲扫描下方二维码分享此页面👇
该页面修订于: 2024-02-02 09:55:40

results matching ""

    No results matching ""