PSIRT Advisories

FortiMail - Unauthenticated encryption in IBE leads to email plaintext recovery

Summary

A missing cryptographic step in FortiMail IBE may allow an unauthenticated attacker who intercepts the encrypted messages to manipulate them in such a way that makes the tampering and the recovery of the plaintexts possible.

Affected Products

FortiMail version 6.4.4 and below.
FortiMail version 6.2.6 and below.

Solutions

Upgrade to FortiMail version 7.0.0.

Fix for version 6.4 to be confirmed.

Acknowledgement

Internally discovered and reported by Giuseppe Cocomazzi of Fortinet PSIRT.