PSIRT Advisories

FortiOS & FortiProxy - SSH authentication bypass when RADIUS authentication is used

Summary

An authentication bypass by assumed-immutable data vulnerability [CWE-302] in the FortiOS SSH login component may allow a remote and unauthenticated attacker to login into the device via sending specially crafted Access-Challenge response from the Radius server. 

Affected Products

FortiOS version 7.2.0 through 7.2.1
FortiOS version 7.0.0 through 7.0.7
FortiOS version 6.4.0 through 6.4.9
FortiOS version 6.2 through 6.2.12
FortiProxy version 7.0.0 through 7.0.6
FortiProxy version 2.0.0 through 2.0.10
FortiProxy version 1.2.0 all versions

Solutions

Please upgrade to FortiOS version 7.2.2 or above
Please upgrade to FortiOS version 7.0.8 or above
Please upgrade to FortiOS version 6.4.10 or above
Please upgrade to upcoming FortiOS version 6.2.13 or above
Please upgrade to FortiProxy version 7.0.7 or above
Please upgrade to FortiProxy version 2.0.11 or above

Acknowledgement

Fortinet is pleased to thank Egbert Nijmeijer from ICT Teamwork for reporting this vulnerability under responsible disclosure.