FortiOS & FortiProxy - Anti brute-force bypass in administrative interface

Summary

An improper restriction of excessive authentication attempts vulnerability [CWE-307] in FortiOS & FortiProxy administrative interface may allow an attacker with a valid user account to perform brute-force attacks on other user accounts via injecting valid login sessions.

Affected Products

FortiProxy version 7.2.0 through 7.2.1 FortiProxy version 7.0.0 through 7.0.7 FortiProxy 2.0 all versions FortiProxy 1.2 all versions FortiProxy 1.1 all versions FortiProxy 1.0 all versions FortiSwitchManager version 7.2.0 through 7.2.2 FortiSwitchManager version 7.0.0 through 7.0.2 FortiOS version 7.2.0 through 7.2.3 FortiOS version 7.0.0 through 7.0.10 FortiOS version 6.4.0 through 6.4.12 FortiOS 6.2 all versions

Solutions

Please upgrade to FortiProxy version 7.2.2 or above Please upgrade to FortiProxy version 7.0.8 or above Please upgrade to FortiOS version 7.2.4 or above Please upgrade to FortiOS version 7.0.11 or above Please upgrade to FortiOS version 6.4.13 or above

Acknowledgement

Internally discovered and reported by Goutham Rukmasah from Fortinet's FortiGuard Labs .

Timeline

2023-03-21: Initial publication