PSIRT Advisory

Read-only admins can obtain LDAP credentials configured in FortiGate using LDAP test connectivity feature

Summary

Fortigate's read-only admins are able to point a LDAP server connectivity test request to a rogue LDAP server instead of the configured one, in order to obtain the LDAP server login credentials configured in the FortiGate.

Impact

Improper Access Control

Affected Products

FortiOS 6.0.0 -> 6.0.2

FortiOS 5.6.7 and before

Solutions

Upgrade to FortiOS 5.6.8, 6.0.3 or upcoming 6.2.0

Acknowledgement

Fortinet is pleased to thank Julio Engels Ureña Martinez for reporting this vulnerability under responsible disclosure.