Cert private key disclosure Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-20-014 Final 1 1 2023-02-16T00:00:00 Current version 2023-02-16T00:00:00 2023-02-16T00:00:00 A clear text storage of sensitive information (CWE-312) vulnerability in both FortiGate and FortiAuthenticator may allow a local unauthorized party to retrieve the Fortinet private keys used to establish secure communication with both Apple Push Notification and Google Cloud Messaging services, via accessing the files on the filesystem.The potentially exposed private keys have been revoked, please upgrade to the versions provided in the solutions to support push proxy. None Information disclosure FortiOS version 6.4.0 through 6.4.1FortiOS version 6.2.0 through 6.2.9FortiOS version 6.0.0 through 6.0.13FortiAuthenticator version 6.1.0FortiAuthenticator version 6.0.0 through 6.0.4FortiAuthenticator 5.5 all versions Please upgrade to FortiGate version 6.4.2 or above.Please upgrade to FortiOS version 6.2.10 or abovePlease upgrade to FortiOS version 6.0.14 or abovePlease upgrade to FortiAuthenticator version 6.2.0 or abovePlease upgrade to FortiAuthenticator version 6.1.1 or abovePlease upgrade to FortiAuthenticator version 6.0.5 or aboveWorkaround in FortiOS:Disable the FTM push service by using the below commands:config system ftm-pushset status disableend Fortinet is pleased to thank Independent security researcher Tom Pohl (https://twitter.com/tompohl) for reporting this vulnerability under responsible disclosure. CVE-2022-22302 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-20-014 Cert private key disclosure Reference>