PSIRT Advisories

FortiTokenMobile - Missing digital certificate validation

Summary

An improper validation of certificate with host mismatch vulnerability [CWE-297] in FortiTokenMobile may allow an unauthenticated user to spoof the validation server identity and achieve a Man-in-the-Middle attack.

Affected Products

FortiTokenMobile for Android v5.0.3 or below is impacted
FortiTokenMobile for iOS v5.2.0 or below is impacted
FortiTokenMobile for Windows v4.0.3 or below is impacted

Solutions

Upgrade FortiTokenMobile for Android to version 5.1.0 or above
Upgrade FortiTokenMobile for iOS to version 5.3.0 or above
Upgrade FortiTokenMobile for Windows to version 4.1.0 or above