Fortinet Vulnerability Advisories March 2022

Posted on 2022-03-09 by guenni

Sicherheit (Pexels, allgemeine Nutzung)[German]US security provider Fortinet has already published security advisories on major vulnerabilities in its products (firewalls etc.) at the beginning of March 2022. Blog reader Martin H. had informed me about these security advisories via email the other day. So I'm just posting the information here without commenting.

Advertising

March 2022 Vulnerability Advisories

Here is the list of vulnerabilities in the various Fortinet products.

FortiWLM – Path traversal vulnerability

Advisory Summary: Path traversal vulnerability in FortiWLM.

Affected Products: FortiWLM versions 8.6.2 and below. FortiWLM versions 8.5.2 and below. FortiWLM versions 8.4.2 and below. FortiWLM versions 8.3.3 and below.

Fortinet Advisory: https://www.fortiguard.com/psirt/FG-IR-21-106

CVSS Score: 5.3

Advertising

FortiManager — Password observed in cleartext in the config conflict file

Advisory Summary: Password observed in cleartext in the config conflict file

Affected Products: FortiManager version 6.2.0 through 6.2.9FortiManager version 6.4.0 through 6.4.7FortiManager version 7.0.0 through 7.0.2

Fortinet Advisory: https://www.fortiguard.com/psirt/FG-IR-21-165

CVSS Score: 2.8

FortiPortal – Insecure password generation

Advisory Summary: Weak PRNG in FortiPortal

Affected Products: FortiPortal version 6.0.5 and below. FortiPortal version 5.3.6 and below. FortiPortal version 5.2.6 and below. FortiPortal version 5.1.2 and below. FortiPortal version 5.0.3 and below. FortiPortal version 4.2.4 and below. FortiPortal version 4.1.2 and below. FortiPortal version 4.0.4 and below.

Fortinet Advisory: https://www.fortiguard.com/psirt/FG-IR-21-099

CVSS Score: 7.4

FortiMail – Administrative authentication bypass

Advisory Summary: Improper authentication in FortiMail.

Affected Products: FortiMail version 7.0.0 and below. FortiMail version 6.4.5 and below. FortiMail version 6.2.7 and below. FortiMail version 6.0.11 and below. FortiMail version 5.4.12 and below.

Fortinet Advisory: https://www.fortiguard.com/psirt/FG-IR-21-028

CVSS Score: 9.3

FortiMail – Unsafe handling of CGI environment parameters in web server framework

Advisory Summary: An instance of Improper Input Validation (CWE-20) in the CGI  facilities affects FortiMail

Affected Products: FortiMail 7.0.0. FortiMail 6.4.5 and below. FortiMail 6.2.7 and below. FortiMail 6.0.11 and below. FortiMail 5.4.12 and below.

Fortinet Advisory: https://www.fortiguard.com/psirt/FG-IR-21-008

CVSS Score: 7.3

FortiAP-C – Command injection in CLI

Advisory Summary: Command injection vulnerability in FortiAP-C CLI

Affected Products: FortiAP-C version 5.4.0 through 5.4.3

Fortinet Advisory: https://www.fortiguard.com/psirt/FG-IR-21-227

CVSS Score: 7.3

FortiOS – Bypassing FortiGate security profiles via SNI in Client Hello

Advisory Summary: Information disclosure in FortiGate

Affected Products: FortiOS version 6.4.3 and belowFortiOS version 6.2.5 and belowFortiOS version 6.0.11 and below

Fortinet Advisory: https://www.fortiguard.com/psirt/FG-IR-20-091

CVSS Score: 2.6

FortiToken Mobile (Android) – Deny request approved from External push notification

Advisory Summary:

Improper access control vulnerability in FortiToken Mobile (Android) external push notification

Affected Products: FortiToken Mobile (Android) version 5.1.0 and below.

Fortinet Advisory: https://www.fortiguard.com/psirt/FG-IR-21-210

CVSS Score: 3.9

FortiAnalyzer, FortiManager – bypass of client-side password change policy enforcement

Advisory Summary: Password-change policy bypass in FortiAnalyzer and FortiManager

Affected Products: FortiManager version 5.6.0 through 5.6.11 FortiManager version 6.0.0 through 6.0.11 FortiManager version 6.2.0 through 6.2.9 FortiManager version 6.4.0 through 6.4.7 FortiManager version 7.0.0 through 7.0.2 FortiAnalyzer version 5.6.0 through 5.6.11 FortiAnalyzer version 6.0.0 through 6.0.11 FortiAnalyzer version 6.2.0 through 6.2.9 FortiAnalyzer version 6.4.0 through 6.4.7 FortiAnalyzer version 7.0.0 through 7.0.2

Fortinet Advisory: https://www.fortiguard.com/psirt/FG-IR-21-255

CVSS Score: 3.9

FortiWLM – command Injection in script handlers

Advisory Summary: OS command injection in FortiWLM

Affected Products: FortiWLM version 8.6.2 and below FortiWLM version 8.5.2 and below FortiWLM version 8.4.2 and below

Fortinet Advisory: https://www.fortiguard.com/psirt/FG-IR-21-128

CVSS Score: 8.3

FortiWLM – SQL Injection in AP report handlers

Advisory Summary: SQL injection in FortiWLM

Affected Products: FortiWLM version 8.6.2 and below. FortiWLM version 8.5.2 and below. FortiWLM version 8.4.2 and below. FortiWLM version 8.3.2 and below.

Fortinet Advisory: https://www.fortiguard.com/psirt/FG-IR-21-189

CVSS Score: 8.3

Cookies helps to fund this blog: Cookie settings
Advertising

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *