FortiManager - Incorrect user management behavior leads to passwordless admin

An incorrect user management vulnerability CWE-286 in the FortiManager VDOM creation component may allow an attacker to access a FortiGate without a password via newly created VDOMs after the superadmin profiled admin account is deleted...

CVE-2022-22965 and CVE-2022-22963 vulnerabilities

Two distinct spring project vulnerabilities where released recently with critical CVSS score and classified as zero-Day attacks. The two vulnerabilities are currently known as : CVE-2022-22965 or Spring4Shell: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remot...

Kr00k vulnerability (CVE-2019-15126) in Broadcom and Cypress Wi-Fi chips

During the RSA conference of February 26th 2020, researchers Štefan Svorencík and Robert Lipovsky disclosed a vulnerability in the implementation of the wireless egress packet processing of certain Broadcom Wi-Fi chipsets. This vulnerability is referenced as CVE-2019-15126 and could allow an...

Protect

TCP stacks that lack RFC 5961 3.2 & 4.2 support or have it disabled at application level may allow remote attackers to guess sequence numbers and cause a denial of service connection loss to persistent TCP connections by repeatedly injecting a TCP RST or SYN packet...

Protect

Failure to sanitize the login redir parameter in the SSL-VPN web portal may allow an attacker to perform a Cross-site Scripting XSS or an URL Redirection attack...

FortiProxy - system file leak through SSL VPN special crafted HTTP resource requests

A path traversal vulnerability in the FortiProxy SSL VPN web portal may allow a non-authenticated, remote attacker to download FortiProxy system files through specially crafted HTTP resource requests...

Protect

A improper limitation of a pathname to a restricted directory vulnerability 'path traversal' CWE-22 in FortiOS may allow a privileged attacker to read and write arbitrary files via crafted CLI commands...

Protect

The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted...

Protect

An authentication bypass using an alternate path or channel vulnerability CWE-288 in FortiOS, FortiProxy and FortiSwitchManager may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests...

Protect

An improper neutralization of input during web page generation vulnerability CWE-79 in FortiProxy and FortiOS web filter override form may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests...

Multiple vulnerabilities in Apache Airflow

Security advisories were released affecting the version of Apache Airflow library used in some Fortinet products:...

Protect

A buffer underwrite 'buffer underflow' vulnerability in FortiOS, FortiManager, FortiAnalyzer, FortiWeb, FortiProxy & FortiSwitchManager administrative interface may allow a remote unauthenticated attacker to execute arbitrary code on the device and/or perform a DoS on the GUI, via specifically...

Apache log4j2 log messages substitution (CVE-2021-44228)

Apache Log4j =2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when...

FortiManager/FortiAnalyzer - XSS Vulnerability in Report Templates

An improper neutralization of input during web page generation vulnerability CWE-79 in FortiManager and FortiAnalyzer report templates may allow a low privilege level attacker to perform an XSS attack via posting a crafted CKeditor "protected" comment as described in CVE-2020-9281...

CVE-2015-4000 "Logjam" attack

...

FortiOS TCP timestamp response

FortiOS by default enables TCP timestamp response, which may lead to information disclosure...

Protect

A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests...

Protect

An exposure of sensitive information to an unauthorized actor vulnerability in FortiGate may allow a remote authenticated attacker to read the SSL VPN events log entries of users in other VDOMs by executing "get vpn ssl monitor" from the CLI. The sensitive data includes usernames, user groups, a...

CVE-2022-0847 on Linux Kernel

A security advisory was released affecting a version of the Linux Kernel used in FortiAuthenticator, FortiProxy & FortiSIEM:...

CVE-2015-0235 "GHOST" vulnerability

...

Protect

CVE-2022-3602: A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue...

FortiWeb is vulnerable to a blind SQL injection

A blind SQL injection in the user interface of FortiWeb may allow an unauthenticated, remote attacker to execute arbitrary SQL queries or commands by sending a request with a crafted Authorization header containing a malicious SQL statement...

Protect

A security advisory was released affecting  the version of OpenSSL library used in some Fortinet products:...

Protect

An insertion of sensitive information into log file vulnerability CWE-532 in FortiOS / FortiProxy log events may allow a remote authenticated attacker to read certain passwords in ciphertext...

Multiple products cross-site scripting vulnerabilities

...

Protect

An improper authentication vulnerability in SSL VPN in FortiOS may result in a user being able to log in successfully without being prompted for the second factor of authentication FortiToken if they changed the case of their username...

Protect

A missing cryptographic steps vulnerability CWE-325 in the functions that encrypt the DHCP and DNS keys ddns-key or n-mhae-key in FortiOS & FortiProxy configuration may allow an attacker in possession of the encrypted key to decipher it...

Protect

Multiple Fortinet products may be affected by the following Linux Kernel vulnerability:...

Protect

A heap-based buffer overflow vulnerability CWE-122 in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests...

ROCA: Vulnerable RSA key pairs generation (CVE-2017-15361)

An old Infineon RSA library does not properly generate RSA key pairs, therefore enabling an attacker to potentially infer a private key from a public key...

Protect

FortiGate's and FortiADC's read-only admins are able to point an LDAP server connectivity test request to a rogue LDAP server instead of the configured one, in order to obtain the LDAP server login credentials configured in the FortiGate...

Protect

A server-generated error message containing sensitive information vulnerability CWE-550 in FortiOS and FortiProxy web proxy may allow a malicious webserver to retrieve a web proxy's client username and IP via same origin HTTP requests triggering proxy-generated HTTP status codes pages...

FortiNAC - SSH Weak Key Exchange Algorithm

A use of a weak cryptographic algorithm vulnerability CWE-327 in FortiNAC may increase the chances of an attacker to have access to sensitive information or to perform man-in-the-middle attacks...

Intel-SA-00086 Security Review Cumulative Update

Intel recently released a security update Intel-SA-00086, regarding Intel ME 11.x, SPS 4.0, and TXE 3.0 intel products...

FortiAnalyzer - XSS vulnerability due to AngularJS Client-Side Template injection

An improper neutralization of input during web page generation vulnerability CWE-79 in FortiAnalyzer may allow a remote unauthenticated attacker to perform a stored cross site scripting XSS attack via the URL parameter observed in the FortiWeb attack event logview in FortiAnalyzer...

Protect

A use of externally-controlled format string vulnerability CWE-134 in the Fclicense daemon of FortiOS may allow a remote authenticated attacker to execute arbitrary code or commands via specially crafted requests...

CVE-2019-9193 PostgreSQL allows OS level commands via COPY SQL function

An OS command injection vulnerability in FortiAnalyzer, FortiAuthenticator and FortiManager may allow a privileged system administrator to run OS level commands on the system via injecting commands in SQL queries...

FortiWeb - Stack-based buffer overflows in Proxyd

Multiple stack-based buffer overflow vulnerabilities CWE-121 in FortiWeb's proxy daemon may allow an unauthenticated remote attacker to achieve arbitrary code execution via specifically crafted HTTP requests...

FortiClient - Privilege escalation in FortiClient installer

An external control of file name or path vulnerability CWE-73 in FortiClient Windows may allow an unprivileged attacker to delete or execute files with admin rights via the MSI installer...

CVE-2015-1793 OpenSSL "Alternative Chains Certificate Forgery"

...

FortiNAC - External Control of File Name or Path in keyUpload scriptlet

An external control of file name or path vulnerability CWE-73 in FortiNAC webserver may allow an unauthenticated attacker to perform arbitrary write on the system...

Protect

When traffic other than HTTP/S eg: SSH traffic, etc... traverses the FortiOS on port 80/443, it is not redirected to the transparent proxy policy for processing, as it doesn't have a valid HTTP header...

FortiOS SSL Deep-Inspection possible Insecure Renegotiation

FortiOS SSL Deep-Inspection may enable insecure renegotiation between TLS clients and servers that support secure renegotiation, opening the door to potential Man-in-the-Middle attacks CVE-2009-3555 against the TLS connection, where an attacker could inject arbitrary data in the connection withou...

Remote Exploit Vulnerability in Bash - (Shellshock)

An exploit has been discovered in GNU Bourne Again Shell Bash versions 1.14.0 through 4.3. This vulnerability may allow an attacker to remotely execute arbitrary code by crafting special code within an environment variable string. Under certain circumstances, exploitation of this vulnerability ca...

Protect

A permissive list of allowed inputs vulnerability CWE-183 in FortiGate Policy-based NGFW Mode may allow an authenticated SSL-VPN user to bypass the policy via bookmarks in the web portal...

FortiClient (Windows) - privilege escalation in online installer due to incorrect working directory

An improper initialization CWE-665 vulnerability in FortiClient Windows may allow a local attacker to gain administrative privileges via placing a malicious executable inside the FortiClient installer's directory...

FortiMail - Administrative authentication bypass

An improper authentication vulnerability CWE-287 in FortiMail may allow a remote attacker to efficiently guess one administrative account's authentication token by means of the observation of certain system's properties...

Http debug commands in FortiMail exposes users credentials to admins

...

Protect

A stack-based buffer overflow vulnerability CWE-121 in FortiOS may allow a privileged attacker to execute arbitrary code via specially crafted CLI commands, provided the attacker were able to evade FortiOS stack protections...

OpenSSL Security Advisory [22 Sept 2016]

The OpenSSL project released an advisory on Sept 22nd, 2016, describing 1 High, 1 Medium and 12 Low severity vulnerabilities, as listed below: OCSP Status Request extension unbounded memory growth CVE-2016-6304 SSLpeek hang on empty record CVE-2016-6305 SWEET32 Mitigation CVE-2016-2183 OOB write ...