Deny request approved from External push notification
Summary
An improper access control vulnerability [CWE-284 ] in FortiToken Mobile (Android) external push notification may allow a remote attacker having already obtained a user's password to access the protected system during the 2FA procedure, even though the deny button is clicked by the legitimate user.
Affected Products
FortiTokenAndroid 5.1 all versions
FortiTokenAndroid 5.0 all versions
FortiTokenAndroid 4.5 all versions
FortiTokenAndroid 4.4 all versions
FortiTokenAndroid 4.3 all versions
FortiTokenAndroid 4.2 all versions
FortiTokenAndroid 4.1 all versions
FortiTokenAndroid 4.0 all versions
Solutions
Please upgrade to version 5.2.0 or above.
Acknowledgement
Fortinet is pleased to thank Gerard Gerritsen from Gemeente Ede for reporting this vulnerability under responsible disclosure.Timeline
2022-03-01: Initial publication