CVE-2004-1653 SSH port forwarding exposes unprotected internal services
An improper access control vulnerability in the admin SSH console of multiple products may allow an authenticated user to access internal only system services via using SSH local port forwarding.
A successful attack needs an authenticated admin SSH user to set up a port bounce to product internal only services via SSH local port forwarding; potential consequences are information disclosure and/or privilege escalation.
Information Disclosure, Privilege Escalation
FortiOS is not impacted.
FortiSwitch is not impacted.
FortiAnalyzer 6.2.0 to 6.2.3, 6.0.8 and below
FortiManager 6.2.0 to 6.2.3, 6.0.8 and below
FortiAP-S/W2 6.2.3 and below
FortiAP-U 6.0.1 and below
FortiAnalyzer: upgrade to 6.0.9 or 6.2.4 or above
FortiManager: upgrade to 6.0.9 or 6.2.4 or above
FortiAP-S/W2: upgrade to 6.2.4 or above
FortiAP-U: upgrade to 6.0.2 or above
Disable admin SSH console, or set trusted hosts to restrict admin SSH console access to trusted users, to prevent scenarios where an attacker who acquired valid user accounts via phishing / social engineering uses those to perform this attack.
Fortinet is pleased to thank Renee Trisberg from SpectX ( https://www.spectx.com/ ) for reporting this vulnerability under FortiAnalyzer through responsible disclosure.