PSIRT Advisory
Read-only admins can obtain LDAP credentials configured in FortiGate using LDAP test connectivity feature
Summary
Fortigate's read-only admins are able to point a LDAP server connectivity test request to a rogue LDAP server instead of the configured one, in order to obtain the LDAP server login credentials configured in the FortiGate.
Impact
Improper Access Control
Affected Products
FortiOS 6.0.0 -> 6.0.2
FortiOS 5.6.7 and before
Solutions
Upgrade to FortiOS 5.6.8, 6.0.3 or upcoming 6.2.0
Acknowledgement
Fortinet is pleased to thank Julio Engels Ureña Martinez for reporting this vulnerability under responsible disclosure.