PSIRT Advisories

FortiAuthenticator, FortiDeceptor & FortiMail - Improper restriction over excessive authentication attempts

Summary

An improper restriction of excessive authentication attempts vulnerability [CWE-307] in FortiAuthenticator, FortiDeceptor & FortiMail may allow a remote unauthenticated attacker to partially exhaust CPU and memory via sending numerous HTTP requests to the login form.

Affected Products

FortiAuthenticator version 6.4  all versions
FortiAuthenticator version 6.3  all versions
FortiAuthenticator version 6.2  all versions
FortiAuthenticator version 6.1  all versions
FortiAuthenticator version 6.0  all versions
FortiAuthenticator version 5.5  all versions
FortiAuthenticator version 5.4  all versions
FortiDeceptor version 3.1  all versions
FortiDeceptor version 3.0  all versions
FortiDeceptor version 2.1 all versions
FortiDeceptor version 2.0  all versions
FortiDeceptor version 1.1  all versions
FortiDeceptor version 1.0  all versions
FortiMail version 6.4.0
FortiMail version 6.2.1 through 6.2.4
FortiMail version 6.0.0 through 6.0.9

Solutions

Please upgrade to FortiAuthenticator version 6.5.0 or above,

Please upgrade to FortiDeceptor version 3.2.0 or above.

Please upgrade to FortiMail version 6.4.1 or above,
Please upgrade to FortiMail version 6.2.5 or above,
Please upgrade to FortiMail version 6.0.10 or above.

Acknowledgement

Fortinet is pleased to thank Danilo Costa from Conviso Application Security who reported this vulnerability under responsible disclosure.