A clear text storage of sensitive information (CWE-312) vulnerability in both FortiGate and FortiAuthenticator may allow a local unauthorized party to retrieve the Fortinet private keys used to establish secure communication with both Apple Push Notification and Google Cloud Messaging services, via accessing the files on the filesystem.
The potentially exposed private keys have been revoked, please upgrade to the versions provided in the solutions to support push proxy.
FortiOS version 6.4.0 through 6.4.1
FortiOS version 6.2.0 through 6.2.9
FortiOS version 6.0.0 through 6.0.13
FortiAuthenticator version 6.1.0
FortiAuthenticator version 6.0.0 through 6.0.4
FortiAuthenticator 5.5 all versions
Please upgrade to FortiGate version 6.4.2 or above.
Please upgrade to FortiOS version 6.2.10 or above
Please upgrade to FortiOS version 6.0.14 or above
Please upgrade to FortiAuthenticator version 6.2.0 or above
Please upgrade to FortiAuthenticator version 6.1.1 or above
Please upgrade to FortiAuthenticator version 6.0.5 or above
Workaround in FortiOS:
Disable the FTM push service by using the below commands:
config system ftm-push
set status disable