PSIRTaccess to backend information and logs via RestAPI on shared environments
Summary
An improper access control vulnerability [CWE-284] in FortiEDR Manager API may allow in a shared environment context an authenticated admin with REST API permissions in his profile and restricted to a specific organization to access backend logs that include information related to other organizations.
| Version | Affected | Solution |
|---|---|---|
| FortiEDR Manager 6.2 | 6.2.0 through 6.2.1 | Upgrade to 6.2.2 or above |
| FortiEDR Manager 6.0 | 6.0 all versions | Migrate to a fixed release |
This issue is already fixed at the configuration level on all shared environement maintained by Fortinet.
Please follow the sequent on On-premise deployment:
1- upgrade to 6.2.1
Then apply the following changes:
2- open the following file: /opt/FortiEDR/webapp/rbac/rbac-config.json
3- look for "rbacId":"rest-system-inventory-get-system-logs".
in that object add this -"isCrossSystem": true
Eventually it should be like that:
{
"rbacId": "rest-system-inventory-get-system-logs",
"value": "rest.SystemInventoryRestController.getSystemLogs",
"isCrossSystem": true,
"type": "API"
}
4- restart manger: run this command:
"fortiedr restart manager"
Timeline
2024-09-10: Initial publication2024-09-17: Solution update + more precision on patch