Fortinet Vulnerability Advisories March 2022

Publiziert am 9. März 2022 von Günter Born

Sicherheit (Pexels, allgemeine Nutzung)Der US-Sicherheitsanbieter Fortinet hat bereits Anfang März 2022 Sicherheitshinweise auf größere Schwachstellen in seinem Produkten (Firewalls etc.) veröffentlicht. Blog-Leser Martin H. hatte mich die Tage per Mail über diese Sicherheitshinweise informiert. Ich stelle die betreffenden Informationen daher einfach mal unkommentiert im Blog hier ein.

Anzeige

March 2022 Vulnerability Advisories

Hier die Liste der Schwachstellen in den diversen Fortinet-Produkten.

FortiWLM – Path traversal vulnerability

Advisory Summary: Path traversal vulnerability in FortiWLM.

Affected Products: FortiWLM versions 8.6.2 and below. FortiWLM versions 8.5.2 and below. FortiWLM versions 8.4.2 and below. FortiWLM versions 8.3.3 and below.

Fortinet Advisory: https://www.fortiguard.com/psirt/FG-IR-21-106

Anzeige

CVSS Score: 5.3

FortiManager — Password observed in cleartext in the config conflict file

Advisory Summary: Password observed in cleartext in the config conflict file

Affected Products: FortiManager version 6.2.0 through 6.2.9FortiManager version 6.4.0 through 6.4.7FortiManager version 7.0.0 through 7.0.2

Fortinet Advisory: https://www.fortiguard.com/psirt/FG-IR-21-165

CVSS Score: 2.8

FortiPortal – Insecure password generation

Advisory Summary: Weak PRNG in FortiPortal

Affected Products: FortiPortal version 6.0.5 and below. FortiPortal version 5.3.6 and below. FortiPortal version 5.2.6 and below. FortiPortal version 5.1.2 and below. FortiPortal version 5.0.3 and below. FortiPortal version 4.2.4 and below. FortiPortal version 4.1.2 and below. FortiPortal version 4.0.4 and below.

Fortinet Advisory: https://www.fortiguard.com/psirt/FG-IR-21-099

CVSS Score: 7.4

FortiMail – Administrative authentication bypass

Advisory Summary: Improper authentication in FortiMail.

Affected Products: FortiMail version 7.0.0 and below. FortiMail version 6.4.5 and below. FortiMail version 6.2.7 and below. FortiMail version 6.0.11 and below. FortiMail version 5.4.12 and below.

Fortinet Advisory: https://www.fortiguard.com/psirt/FG-IR-21-028

CVSS Score: 9.3

FortiMail – Unsafe handling of CGI environment parameters in web server framework

Advisory Summary: An instance of Improper Input Validation (CWE-20) in the CGI  facilities affects FortiMail

Affected Products: FortiMail 7.0.0. FortiMail 6.4.5 and below. FortiMail 6.2.7 and below. FortiMail 6.0.11 and below. FortiMail 5.4.12 and below.

Fortinet Advisory: https://www.fortiguard.com/psirt/FG-IR-21-008

CVSS Score: 7.3

FortiAP-C – Command injection in CLI

Advisory Summary: Command injection vulnerability in FortiAP-C CLI

Affected Products: FortiAP-C version 5.4.0 through 5.4.3

Fortinet Advisory: https://www.fortiguard.com/psirt/FG-IR-21-227

CVSS Score: 7.3

FortiOS – Bypassing FortiGate security profiles via SNI in Client Hello

Advisory Summary: Information disclosure in FortiGate

Affected Products: FortiOS version 6.4.3 and belowFortiOS version 6.2.5 and belowFortiOS version 6.0.11 and below

Fortinet Advisory: https://www.fortiguard.com/psirt/FG-IR-20-091

CVSS Score: 2.6

FortiToken Mobile (Android) – Deny request approved from External push notification

Advisory Summary:

Improper access control vulnerability in FortiToken Mobile (Android) external push notification

Affected Products: FortiToken Mobile (Android) version 5.1.0 and below.

Fortinet Advisory: https://www.fortiguard.com/psirt/FG-IR-21-210

CVSS Score: 3.9

FortiAnalyzer, FortiManager – bypass of client-side password change policy enforcement

Advisory Summary: Password-change policy bypass in FortiAnalyzer and FortiManager

Affected Products: FortiManager version 5.6.0 through 5.6.11 FortiManager version 6.0.0 through 6.0.11 FortiManager version 6.2.0 through 6.2.9 FortiManager version 6.4.0 through 6.4.7 FortiManager version 7.0.0 through 7.0.2 FortiAnalyzer version 5.6.0 through 5.6.11 FortiAnalyzer version 6.0.0 through 6.0.11 FortiAnalyzer version 6.2.0 through 6.2.9 FortiAnalyzer version 6.4.0 through 6.4.7 FortiAnalyzer version 7.0.0 through 7.0.2

Fortinet Advisory: https://www.fortiguard.com/psirt/FG-IR-21-255

CVSS Score: 3.9

FortiWLM – command Injection in script handlers

Advisory Summary: OS command injection in FortiWLM

Affected Products: FortiWLM version 8.6.2 and below FortiWLM version 8.5.2 and below FortiWLM version 8.4.2 and below

Fortinet Advisory: https://www.fortiguard.com/psirt/FG-IR-21-128

CVSS Score: 8.3

FortiWLM – SQL Injection in AP report handlers

Advisory Summary: SQL injection in FortiWLM

Affected Products: FortiWLM version 8.6.2 and below. FortiWLM version 8.5.2 and below. FortiWLM version 8.4.2 and below. FortiWLM version 8.3.2 and below.

Fortinet Advisory: https://www.fortiguard.com/psirt/FG-IR-21-189

CVSS Score: 8.3

Anzeige
Dieser Beitrag wurde unter Sicherheit abgelegt und mit verschlagwortet. Setze ein Lesezeichen auf den Permalink.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Hinweis: Bitte beachtet die Regeln zum Kommentieren im Blog (Erstkommentare und Verlinktes landet in der Moderation, gebe ich alle paar Stunden frei, SEO-Posts/SPAM lösche ich rigoros). Kommentare abseits des Themas bitte unter Diskussion.

Du findest den Blog gut, hast aber Werbung geblockt? Du kannst diesen Blog auch durch eine Spende unterstützen.