FortiAnalyzer & FortiManager - Lack of client-side certificate validation when establishing secure connections with FortiGuard to download outbreakalert

Summary

An improper certificate validation vulnerability [CWE-295] in FortiAnalyzer and FortiManager may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the device and the remote FortiGuard server hosting outbreakalert ressources.

Affected Products

FortiManager version 7.2.0 through 7.2.1
FortiManager version 7.0.0 through 7.0.5
FortiManager version 6.4.8 through 6.4.10
FortiAnalyzer version 7.2.0 through 7.2.1
FortiAnalyzer version 7.0.0 through 7.0.5
FortiAnalyzer version 6.4.8 through 6.4.10

Solutions

Please upgrade to FortiManager version 7.2.2 or above
Please upgrade to FortiManager version 7.0.6 or above
Please upgrade to FortiManager version 6.4.11 or above
Please upgrade to FortiAnalyzer version 7.2.2 or above
Please upgrade to FortiAnalyzer version 7.0.6 or above
Please upgrade to FortiAnalyzer version 6.4.11 or above

Acknowledgement

Internally discovered and reported by Wilfried Djettchou of Fortinet Product Security team.

Timeline

2023-03-20: Initial publication