virus logo PSIRT

Missing digital certificate validation

Summary

An improper validation of certificate with host mismatch vulnerability [CWE-297] in FortiTokenMobile may allow an unauthenticated user to spoof the validation server identity and achieve a Man-in-the-Middle attack.

Affected Products

FortiTokenIOS 5.4 all versions are not affected
FortiTokenIOS 5.3 all versions are not affected
FortiTokenIOS 5.2 all versions
FortiTokenIOS 5.1 all versions are not affected
FortiTokenIOS 5.0 all versions are not affected
FortiTokenIOS 4.6 all versions are not affected
FortiTokenIOS 4.3 all versions
FortiTokenIOS 4.2 all versions
FortiTokenIOS 4.1 all versions
FortiTokenIOS 3.0 all versions
FortiTokenAndroid 5.2 all versions are not affected
FortiTokenAndroid 5.1 all versions are not affected
FortiTokenAndroid 5.0 all versions
FortiTokenAndroid 4.5 all versions
FortiTokenAndroid 4.4 all versions
FortiTokenAndroid 4.3 all versions
FortiTokenAndroid 4.2 all versions
FortiTokenAndroid 4.1 all versions
FortiTokenAndroid 4.0 all versions
FortiTokenAndroid 3.0 all versions
FortiTokenAndroid 0.4 all versions
FortiTokenMobileWP 4.1 all versions are not affected
FortiTokenMobileWP 4.0 all versions
FortiTokenMobileWP 3.0 all versions

Solutions

Upgrade FortiTokenMobile for Android to version 5.1.0 or above
Upgrade FortiTokenMobile for iOS to version 5.3.0 or above
Upgrade FortiTokenMobile for Windows to version 4.1.0 or above

Timeline

2022-06-07: Initial publication
IR Number FG-IR-21-024
Published Date Jun 7, 2022
Severity Medium
Discovered Internal
Attack Type Unauthenticated
Known Exploited No
CVSSv3 Score 6.1
Impact Information disclosure
CVE ID
Download

CVRF