PSIRT Advisories

FortiAnalyzer, FortiManager - bypass of client-side password change policy enforcement

Summary

An improper handling of insufficient permissions or privileges vulnerability [CWE-280] in FortiAnalyzer and FortiManager may allow an authenticated attacker to bypass the device policy and force the password-change action for its user.

Affected Products

FortiManager version 5.6.0 through 5.6.11
FortiManager version 6.0.0 through 6.0.11
FortiManager version 6.2.0 through 6.2.9
FortiManager version 6.4.0 through 6.4.7
FortiManager version 7.0.0 through 7.0.2


FortiAnalyzer version 5.6.0 through 5.6.11
FortiAnalyzer version 6.0.0 through 6.0.11
FortiAnalyzer version 6.2.0 through 6.2.9
FortiAnalyzer version 6.4.0 through 6.4.7
FortiAnalyzer version 7.0.0 through 7.0.2

Solutions

Upgrade to FortiAnalyzer version 7.0.3 or above
Upgrade to FortiAnalyzer version 6.4.8 or above

Upgrade to FortiManager version 7.0.3 or above
Upgrade to FortiManager version 6.4.8 or above

Acknowledgement

Fortinet is pleased to thank Alaa A. Bukhari for reporting this vulnerability under responsible disclosure