VM appliance lack of root file system integrity check may allow an attacker with read/write access to the VM image (before it is booted up) to inject malicious implants in the image.
FortiOS VM all versions below 6.0.5 (CVE-2019-5587)
FortiManager VM version 6.2.0, 6.0.6 and below (CVE-2019-6695)
Upgrade to FortiOS VM versions 6.0.5 or 6.2.0
Upgrade to FortiManager VM versions 6.0.7 or 6.2.1
Verify the VM images' integrity by comparing the SHA-512 checksum with the checksum indicated on https://support.fortinet.com/ (downloads section) for that image.
05-17-2019 Initial Version
07-15-2019 CVE-2019-6695 disclosed
11-14-2019 CVE-2019-6695 6.0 branch fixed.
Fortinet is pleased to thank Bart Dopheide, Axians for reporting CVE-2019-5587 and independent research team Denis Kolegov, Maxim Gorbunov, Nikita Oleksov and Anton Nikolaev for reporting CVE-2019-6695 under responsible disclosure.