PSIRT Advisories

FortiMail - Improper use of cryptographic primitives in IBE KeyStore

Summary

Missing cryptographic steps in FortiMail IBE may allow an attacker who comes in possession of the encrypted master keys to compromise their confidentiality by observing a few invariant properties of the ciphertext.

Affected Products

FortiMail version 6.4.4 and below.
FortiMail version 6.2.6 and below.

Solutions

Upgrade to FortiMail version 7.0.0. 

Fix for version 6.4 to be confirmed.

Acknowledgement

Internally discovered and reported by Giuseppe Cocomazzi of Fortinet PSIRT.