PSIRT Advisories

1. Administrator cookie leakage

   An insufficiently protected credentials vulnerability (CWE-522) in FortiOS and FortiProxy may allow an attacker to obtain the administrator cookie in rare and specific conditions, via tricking the administrator into visiting a malicious attacker-controlled website through the SSL-VPN.

2. Arbitrary file delete on endpoint

   An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in FortiSandbox may allow an authenticated attacker with at least read-only permission to delete arbitrary files via crafted HTTP requests.

3. Arbitrary file read on endpoint

   An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability |CWE-22] in FortiSandbox may allow an authenticated attacker with at least read-only permission to read arbitrary files via crafted http requests.

4. FortiMail - SMTP Smuggling

   Fortinet is aware of the new SMTP smuggling technique.By exploiting interpretation differences of the SMTP protocol for the end of data sequence, it is possible to send spoofed e-mails, while still passing SPF alignment checks.FortiMail may be susceptible to smuggling attacks if some measures are not put in place. We therefore recommend to adhere to the following indications in order to mitigate the potential risk associated to the smuggling attacks:- Enable DKIM (Domain Keys Identified Mail) to enhance e-mail authentication. Select "None" action under DKIM check in AntiSpam profile in order to block by default e-mail without DKIM signature.- Disable "any-any" traffic policy to restrict unauthorized access.- Modify the configuration settings in line with the recommended security practices (DMARC/DKIM/SPF, proper ACL policy, avoid open relay MTA).

5. FortiManager - Code Injection via Jinja Template

   An improper neutralization of special elements used in a template engine [CWE-1336] vulnerability in FortiManager provisioning templates may allow a local authenticated attacker with at least read-only permissions to execute arbitrary code via specially crafted templates.

6. FortiOS - Format String in CLI command

   A use of externally-controlled format string vulnerability [CWE-134] in FortiOS command line interface may allow a local privileged attacker with super-admin profile and CLI access to execute arbitrary code or commands via specially crafted requests.

7. FortiSandbox - Arbitrary file write on CLI leading to arbitrary code execution

   An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in FortiSandbox may allow a privileged attacker with super-admin profile and CLI access to execute arbitrary code via CLI.

8. FortiSandbox - Command injection impacting CLI command

   An improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiSandbox may allow a privileged attacker with super-admin profile and CLI access to execute arbitrary code via CLI.

9. Lack of certificate validation

   An improper certificate validation vulnerability [CWE-295] in FortiNAC-F may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the HTTPS communication channel between the FortiOS device, an inventory, and FortiNAC-F.

10. Lack of configuration file validation

    An external control of file name or path vulnerability [CWE-73] in FortiClientMac's installer may allow a local attacker to execute arbitrary code or commands via writing a malicious configuration file in /tmp before starting the installation process.

11. OS command injection on endpoint

    Multiple improper neutralization of special elements used in an OS Command vulnerabilities [CWE-78] in FortiSandbox may allow an authenticated attacker with at least read-only permission to execute unauthorized commands via crafted requests.

12. Remote Code Execution due to dangerous ELECTRONJS configuration

    An Improper Control of Generation of Code ('Code Injection') vulnerability [CWE-94] in FortiClientLinux may allow##an unauthenticated attacker to execute arbitrary code via tricking a FortiClientLinux user into visiting a malicious website.

13. Web server ETag exposure

    An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiOS may allow an unauthenticated attacker to fingerprint the device version via HTTP requests.

14. Authorization bypass in SSLVPN bookmarks

    An authorization bypass through user-controlled key vulnerability [CWE-639] in FortiOS and FortiProxy SSLVPN may allow an authenticated attacker to gain access to another user’s bookmark via URL manipulation.

15. CSV injection in log download feature

    An improper neutralization of formula elements in a CSV File vulnerability [CWE-1236] in FortiClientEMS may allow a remote and unauthenticated attacker to execute arbitrary commands on the admin workstation via creating malicious log entries with crafted requests to the server.

16. Format string vulnerability in administrative interface

    A use of externally-controlled format string vulnerability [CWE-134] in FortiManager, FortiAnalyzer, FortiAnalyzer-BigData & FortiPortal may allow a privileged attacker to execute unauthorized code or commands via specially crafted command arguments.

17. FortiPortal - Improper Authorization in reports download

    An improper authorization vulnerability [CWE-285] in FortiPortal reports may allow a user to download other organizations reports via modification in the request payload.

18. Improper access control in backup and restore features

    An improper access control vulnerability [`CWE-284]` in FortiWLM MEA for FortiManager may allow an unauthenticated remote attacker to execute arbitrary code or commands via specifically crafted requests.Note that FortiWLM MEA is not installed by default on FortiManager and can be disabled as a workaround.

19. Improper authentication following read-only user login

    An improper authentication vulnerability [CWE-287] in FortiOS when configured with FortiAuthenticator in HA may allow an authenticated attacker with at least read-only permission to gain read-write access via successive login attempts.

20. Out-of-bounds Write in captive portal

    An out-of-bounds write vulnerability [CWE-787] and a Stack-based Buffer Overflow [CWE-121] in FortiOS & FortiProxy captive portal may allow an inside attacker who has access to captive portal to execute arbitrary code or commands via specially crafted HTTP requests.Workaround:Set a non form-based authentication scheme:config authentication schemeedit schemeset method methodnextendWhere can be any of those :ntlm NTLM authentication.basic Basic HTTP authentication.digest Digest HTTP authentication.negotiate Negotiate authentication.fsso Fortinet Single Sign-On (FSSO) authentication.rsso RADIUS Single Sign-On (RSSO) authentication.ssh-publickey Public key based SSH authentication.cert Client certificate authentication.saml SAML authenticationNone of the enabled authentication schemes should be form-based.Please note that only devices with captive portal enabled are affected.

21. Pervasive SQL injection in DAS component

    An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests.

22. XSS in Show Audit Log

    An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiNAC may allow a remote unauthenticated attacker to perform a stored cross site scripting (XSS) attack via the name fields observed in the policy audit logs.

23. CVE-2023-44487 - Rapid Reset HTTP/2 vulnerability

    The Fortinet Product Security team has evaluated the impact of the vulnerablity HTTP/2 Rapid Reset Attack, listed below:CVE-2023-44487:The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly.https://nvd.nist.gov/vuln/detail/CVE-2023-44487

24. Format String Bug in fgfmd

    A use of externally-controlled format string vulnerability [CWE-134] in FortiOS fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.

25. FortiClientEMS - Improper privilege management for site super administrator

    An improper privilege management vulnerability [CWE-269] in FortiClientEMS graphical administrative interface may allow an Site administrator with Super Admin privileges to perform global administrative operations affecting other sites via crafted HTTP or HTTPS requests.