FortiMail - Administrative authentication bypass

Summary

An improper authentication vulnerability [CWE-287] in FortiMail may allow a remote attacker to efficiently guess one administrative account's authentication token by means of the observation of certain system's properties.

Affected Products

FortiMail version 7.0.0 and below.
FortiMail version 6.4.5 and below.
FortiMail version 6.2.7 and below.
FortiMail version 6.0.11 and below.
FortiMail version 5.4.12 and below.

Solutions

Upgrade to FortiMail version 7.0.1.
Upgrade to FortiMail version 6.4.6.
Upgrade to FortiMail version 6.2.8.
Upgrade to FortiMail version 6.0.12.

Acknowledgement

Discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.