Multiple lack of client-side certificate validation when establishing secure connections

Summary

An improper certificate validation vulnerability [CWE-295] in FortiADC may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the device and various remote servers such as private SDN connectors and FortiToken Cloud.

Version Affected Solution
FortiADC 7.4 7.4.0 Upgrade to 7.4.1 or above
FortiADC 7.2 7.2.0 through 7.2.3 Upgrade to 7.2.4 or above
FortiADC 7.1 7.1 all versions Migrate to a fixed release
FortiADC 7.0 7.0 all versions Migrate to a fixed release
FortiADC 6.2 6.2 all versions Migrate to a fixed release
FortiADC 6.1 6.1 all versions Migrate to a fixed release
FortiADC 6.0 6.0 all versions Migrate to a fixed release

Acknowledgement

Internally discovered and reported by Wilfried Djettchou of Fortinet Product Security team.

Timeline

2024-07-09: Initial publication