FG default configuration is not secure/ By default, FG does not verify LDAP server identity Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-19-037 Final 1 1 2019-07-26T00:00:00 Current version 2019-07-26T00:00:00 2019-07-26T00:00:00 A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server. Information disclosure FortiOS 6.2.0 and below. For users running versions 6.0.3 to 6.2.0, enabling the CLI option that checks for LDAP server identity entirely prevents the issue. This option can be enabled only if secure and ca-cert of the LDAP server are set. config user ldapedit ldap-serverset ca-cert <ldap-server-certificate>set secure ldaps set server-identity-check enableFortiOS 6.2.1 and above have server-identity-check enabled by default, when installed from scratch.However, for compatibility reasons, the value of server-identity-check is kept unchanged throughout firmware upgrading. In other words, upgrading from 6.0.3 - 6.2.0 to 6.2.1 and above does not suffice to thwart the issue: server-identity-check must be enabled (prior the upgrade of after, indifferently). Fortinet is pleased to thank James Renken from the Internet Security Research Group and Florian Thiele for bringing this issue to our attention under responsible disclosure. CVE-2019-5591 5.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:F/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-19-037 FG default configuration is not secure/ By default, FG does not verify LDAP server identity Reference>