Multiple OS command injection vulnerabilities
Summary
Multiple OS command injection [CWE-78] vulnerabilities in the command line interface of FortiManager, FortiAnalyzer, and FortiPortal may allow a local authenticated and unprivileged user to execute arbitrary shell commands as root via specifically crafted CLI command parameters.
Affected Products
FortiManager versions 6.2.7 and below.
FortiManager versions 6.4.5 and below.
FortiManager versions 5.6.x, 6.2.x and 6.0.x are also impacted.
FortiAnalyzer versions 6.2.7 and below.
FortiAnalyzer versions 6.4.5 and below.
FortiAnalyzer versions 5.6.x, 6.2.x and 6.0.x also are impacted.
FortiPortal version 5.2.5 and below.
FortiPortal version 5.3.5 and below.
FortiPortal version 6.0.4 and below.
Solutions
Please upgrade to FortiManager version 6.0.11 or above.
Please upgrade to FortiManager version 6.2.8 or above.
Please upgrade to FortiManager version 6.4.6 or above.
Please upgrade to FortiManager version 7.0.0 or above.
Please upgrade to FortiAnalyzer version 6.0.11 or above.
Please upgrade to FortiAnalyzer version 6.2.8 or above.
Please upgrade to FortiAnalyzer version 6.4.6 or above.
Please upgrade to FortiAnalyzer version 7.0.0 or above.
Please upgrade to FortiPortal version 5.2.6 or above.
Please upgrade to FortiPortal version 5.3.6 or above.
Please upgrade to FortiPortal version 6.0.5 or above.
Acknowledgement
Fortinet is pleased to thank Orange-CERT Coordination Center for reporting this vulnerability under responsible disclosure.Timeline
2021-08-03: Initial publication