PSIRTMissing authentication for managed device configuration files
Summary
A missing authentication for critical function vulnerability [CWE-306] in FortiManager and FortiPortal may allow a remote unauthenticated attacker to extract the configuration of all managed devices
| Version | Affected | Solution |
|---|---|---|
| FortiManager Cloud 7.4 | 7.4.1 through 7.4.2 | Upgrade to 7.4.3 or above |
| FortiManager Cloud 7.2 | 7.2.1 through 7.2.5 | Upgrade to 7.2.7 or above |
| FortiManager Cloud 7.0 | 7.0.1 through 7.0.12 | Upgrade to 7.0.13 or above |
| FortiManager 7.6 | Not affected | Not Applicable |
| FortiManager 7.4 | 7.4.0 through 7.4.2 | Upgrade to 7.4.3 or above |
| FortiManager 7.2 | 7.2.0 through 7.2.5 | Upgrade to 7.2.6 or above |
| FortiManager 7.0 | 7.0.0 through 7.0.12 | Upgrade to 7.0.13 or above |
| FortiManager 6.4 | 6.4.0 through 6.4.14 | Upgrade to 6.4.15 or above |
Ldap credentials, admin credentials and user credential can be recovered unless the following setting on the managed fortigate is set :
config system global
set private-data-encryption enable
end
Please note that if this setting is not set for all the revisions of the stored configuration, this could allow the attacker to recover the credentials set at the time of the revision.
In any cases, it is recommended to limit access to the admin interface to specific IP address(es) with the trusthost feature:
config system admin user
edit "admin"
set trusthost1 x.x.x.x 255.255.255.255
next
end