PSIRT Advisories

FortiNAC - improper permissions set for tomcat users configuration file

Summary

An incorrect permission assignment for a critical resource vulnerability [CWE-732] in FortiNAC may allow an authenticated attacker to access sensitive system data and, as a consequence, raise the authenticated user's privilege to admin.

Affected Products

FortiNAC version 9.2.0 and below.
FortiNAC version 9.1.3 and below.
FortiNAC version 8.8.9 and below.

Solutions

Upgrade to upcoming FortiNAC version 10.0.0 or above.

Upgrade to FortiNAC version 9.2.1 or above.

Upgrade to FortiNAC version 9.1.4 or above.

Upgrade to FortiNAC version 8.8.10 or above.

Acknowledgement

Fortinet is pleased to thank the Orange CERT-CC team for reporting this vulnerability under responsible disclosure.