PSIRT Advisories

FortiSandbox / FortiDeceptor - Improper profile-based access control over APIs

Summary

An improper privilege management vulnerability [CWE-269] in FortiSandbox & FortiDeceptor may allow a remote authenticated attacker to perform unauthorized API calls via crafted HTTP or HTTPS requests.

Affected Products

FortiDeceptor version 4.1.0
FortiDeceptor version 4.0.0 through 4.0.2
FortiDeceptor version 3.3.0 through 3.3.3
FortiDeceptor 3.2 all versions
FortiDeceptor 3.1 all versions
FortiDeceptor 3.0 all versions
FortiDeceptor 2.1 all versions
FortiDeceptor 2.0 all versions
FortiDeceptor 1.1 all versions
FortiDeceptor 1.0 all versions
At least
FortiSandbox version 4.2.0 through 4.2.2
FortiSandbox version 4.0.0 through 4.0.2
FortiSandbox version 3.2.0 through 3.2.3
FortiSandbox 3.1 all versions
FortiSandbox 3.0 all versions
FortiSandbox 2.5 all versions

Solutions

Please upgrade to FortiDeceptor version 4.2.0 or above
Please upgrade to FortiDeceptor version 4.1.1 or above
Please upgrade to FortiDeceptor version 4.0.2 or above
Please upgrade to FortiDeceptor version 3.3.3 or above
Please upgrade to FortiSandbox version 4.2.3 or above
Please upgrade to FortiSandbox version 4.0.3 or above
Please upgrade to FortiSandbox version 3.2.4 or above

Acknowledgement

Internally discovered and reported by Théo Leleu of Fortinet Product Security team.

Timeline

2023-03-21: Initial publication