PSIRT Advisories
FortiAuthenticator, FortiDeceptor & FortiMail - Improper restriction over excessive authentication attempts
Summary
An improper restriction of excessive authentication attempts vulnerability [CWE-307] in FortiAuthenticator, FortiDeceptor & FortiMail may allow a remote unauthenticated attacker to partially exhaust CPU and memory via sending numerous HTTP requests to the login form.
Affected Products
FortiAuthenticator version 6.4 all versions
FortiAuthenticator version 6.3 all versions
FortiAuthenticator version 6.2 all versions
FortiAuthenticator version 6.1 all versions
FortiAuthenticator version 6.0 all versions
FortiAuthenticator version 5.5 all versions
FortiAuthenticator version 5.4 all versions
FortiDeceptor version 3.1 all versions
FortiDeceptor version 3.0 all versions
FortiDeceptor version 2.1 all versions
FortiDeceptor version 2.0 all versions
FortiDeceptor version 1.1 all versions
FortiDeceptor version 1.0 all versions
FortiMail version 6.4.0
FortiMail version 6.2.1 through 6.2.4
FortiMail version 6.0.0 through 6.0.9
Solutions
Please upgrade to FortiAuthenticator version 6.5.0 or above,
Please upgrade to FortiDeceptor version 3.2.0 or above.
Please upgrade to FortiMail version 6.4.1 or above,
Please upgrade to FortiMail version 6.2.5 or above,
Please upgrade to FortiMail version 6.0.10 or above.