FortiProxy SSL-VPN Improper Access Control vulnerability through the Quick connection functionality

FortiProxy SSL-VPN Improper Access Control vulnerability through the Quick connection functionality

Summary

An improper access control vulnerability in FortiProxy SSL VPN portal may allow an authenticated, remote attacker to access internal service such as the ZebOS Shell on the FortiProxy appliance through the Quick Connection functionality.

Impact

Improper Access Control

Affected Products

FortiProxy version 2.0.0 FortiProxy versions 1.2.9 and below. FortiProxy versions 1.1.6 and below. FortiProxy versions 1.0.7 and below.

Solutions

Please upgrade to FortiProxy versions 2.0.1 or above. Please upgrade to FortiProxy versions 1.2.10 or above.

Acknowledgement

Internally discovered and reported by the Fortinet PSIRT Team.