PSIRT Advisories

FortiMail - Insecure PRNG in password and token generation scheme of IBE authentication

Summary

A use of a cryptographically weak pseudo-random number generator vulnerability in the authenticator of FortiMail Identity Based Encryption service may allow an unauthenticated attacker to infer parts of users authentication tokens and reset their credentials.

Affected Products

FortiMail 6.4.4 and below.
FortiMail 6.2.6 and below.

Solutions

Upgrade to FortiMail 7.0.0.

Upgrade to FortiMail 6.4.5.

Acknowledgement

Internally discovered and reported by Giuseppe Cocomazzi of the Fortinet PSIRT Team.