cbcvebase.
CVE-2019-5591
published 2020-08-14

CVE-2019-5591: A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating…

PriorityP182medium6.5CVSS 3.1
AVAACLPRNUINSUCHINAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
18.57%
96.9th percentile
A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.

Affected

3 ranges
VendorProductVersion rangeFixed in
fortinetfortinet_fortios
fortinetfortios<= 6.2.0
fortinetfortios

Detection & IOCsextracted from sources · hover to see the quote

port4443
port8443
port10443
url/login
url/logincheck
sigma
id: CVE-2019-5591
info:
  name: FortiOS - Insecure LDAP Configuration Detection
  author: ayewo
  severity: medium
  description: |
    The FortiGate LDAP configuration was detected to be insecure due to missing ca-cert, secure LDAPS, or server-identity-check, potentially exposing LDAP communications to credential interception or man-in-the-middle attacks under specific network conditions.
  impact: |
    Unauthenticated attackers can intercept sensitive information by impersonating LDAP servers within the same subnet.
  remediation: |
    Configure LDAP server settings properly and disable default configurations; update to the latest firmware version.
  reference:
    - https://github.com/ayewo/fortios-ldap-mitm-poc-CVE-2019-5591
    - https://www.fortiguard.com/psirt/FG-IR-19-037
  classification:
    cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 6.5
    cve-id: CVE-2019-5591
    epss-score: 0.4836
    epss-percentile: 0.97747
    cpe: cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: fortinet
    product: fortigate
    shodan-query: 'cpe:"cpe:2.3:o:fortinet:fortios"'
  tags: cve,cve2019,fortinet,ldap,kev,vkev,oast

variables:
  username: "{{rand_text_alpha(10)}}"
  password: "{{rand_text_alphanumeric(12)}}"

http:
  - raw:
    - |
      GET /login HTTP/1.1
      Host: {{Hostname}}

    - |
      POST /logincheck HTTP/1.1
      Host: {{Hostname}}
      Content-Type: text/plain;charset=UTF-8

      ajax=1&username={{username}}&secretkey={{interactsh-url}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_1
        words:
          - 'name="username"'
          - 'name="secretkey"'
        condition: and

      - type: status
        status:
          - 200

      - type: dsl
        dsl:
          - contains(body_2, "0")
          - contains(body_2, "1")
          - contains(body_2, "2")
        condition: or

      - type: word
        part: body_2
        words:
          - "ajax=1&username="
        condition: or
        negative: true

      - type: word
        part: interactsh_protocol
        words:
          - "dns"
          - "http"
  • Detect CVE-2019-5591 exploitation attempts by monitoring for POST requests to /logincheck with Content-Type: text/plain;charset=UTF-8 and body containing 'ajax=1&username=' directed at FortiGate devices.
  • Monitor for APT scanning activity against FortiGate devices on ports 4443, 8443, and 10443, which were observed as enumeration ports used by APT actors targeting CVE-2019-5591 and related Fortinet vulnerabilities.
  • Detect vulnerable FortiOS instances using Shodan query for the FortiOS CPE string, as used in the Nuclei template for CVE-2019-5591.
  • Detect LDAP MitM exploitation of CVE-2019-5591 by monitoring for LDAP connection requests to FortiGate devices from unexpected hosts on the same subnet, indicative of an attacker impersonating an LDAP server.
  • Use the OOB/interactsh callback on the 'secretkey' parameter in the /logincheck POST body as a detection signal; a DNS or HTTP callback indicates the FortiGate device is processing the LDAP server address from user-supplied input without certificate verification.
  • ·CVE-2019-5591 is a default configuration flaw — FortiOS does not verify the LDAP server certificate by default (missing ca-cert, secure LDAPS, or server-identity-check), enabling MitM interception of LDAP credentials on the same subnet.
  • ·Exploitation requires the attacker to be on the same subnet as the FortiGate device; remote unauthenticated exploitation from the internet is not possible for this specific CVE.
  • ·The Nuclei detection template uses an OOB (interactsh) callback via the 'secretkey' field in the /logincheck endpoint; this is a probe technique and not a direct exploitation payload — results should be correlated with LDAP configuration inspection.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.03.3LOWAV:A/AC:L/Au:N/C:P/I:N/A:N
vulncheck6.5MEDIUM
cisa6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.