PSIRT Advisories

FortiAuthenticator - Improper access control in HA service

Summary

An improper access control vulnerability [CWE-284] in FortiAuthenticator HA service may allow an attacker on the same vlan as the HA management interface to make an unauthenticated direct connection to the FAC's database.

Affected Products

FortiAuthenticator 6.3.2 and below.
FortiAuthenticator 6.2.x.
FortiAuthenticator 6.1.x.
FortiAuthenticator 6.0.x.

Solutions

Please upgrade to FortiAuthenticator 6.4.0 or above.

Please upgrade to FortiAuthenticator 6.3.3 or above.

Acknowledgement

Fortinet is pleased to thank Steven Shockley for reporting this issue under responsible disclosure.