{"id":38652,"date":"2019-10-02T07:10:46","date_gmt":"2019-10-02T00:10:46","guid":{"rendered":"https:\/\/deepquest.code511.com\/blog\/2019\/10\/fortinet-fortisiem-5-0-5-2-1-improper-certification-validation\/"},"modified":"2019-10-02T07:10:46","modified_gmt":"2019-10-02T00:10:46","slug":"fortinet-fortisiem-5-0-5-2-1-improper-certification-validation","status":"publish","type":"post","link":"https:\/\/deepquest.code511.com\/blog\/2019\/10\/fortinet-fortisiem-5-0-5-2-1-improper-certification-validation\/","title":{"rendered":"Fortinet FortiSIEM 5.0 \/ 5.2.1 Improper Certification Validation"},"content":{"rendered":"<p>A FortiSIEM collector connects to a Supervisor\/Worker over HTTPS TLS (443\/TCP) to register itself as well as relaying event data such as syslog, netflow, SNMP, etc. When the Collector (the client) connects to the Supervisor\/Worker (the server), the client does not validate the server-provided certificate against its root-CA store. Since the client does no server certificate validation, this means any certificate presented to the client will be considered valid and the connection will succeed. If an attacker spoofs a Worker\/Supervisor using an ARP or DNS poisoning attack (or any other MITM attack), the Collector will blindly connect to the attacker&#8217;s HTTPS TLS server. It will disclose the authentication password used along with any data being relayed. Versions 5.0 and 5.2.1 have been tested and are affected.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A FortiSIEM collector connects to a Supervisor\/Worker over HTTPS TLS (443\/TCP) to register itself as well as relaying event data such as syslog, netflow, SNMP, etc. When the Collector (the&#8230;<\/p>\n","protected":false},"author":439,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[43],"tags":[],"class_list":["post-38652","post","type-post","status-publish","format-standard","hentry","category-exploit"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4bBYZ-a3q","_links":{"self":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/38652","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/users\/439"}],"replies":[{"embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/comments?post=38652"}],"version-history":[{"count":0,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/38652\/revisions"}],"wp:attachment":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/media?parent=38652"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/categories?post=38652"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/tags?post=38652"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}