FortiAuthenticator - Improper access control in HA service
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-20-217
Final
1
1
2022-02-01T00:00:00
Current version
2022-02-01T00:00:00
2022-02-01T00:00:00
An improper access control vulnerability [CWE-284] in FortiAuthenticator HA service may allow an attacker on the same vlan as the HA management interface to make an unauthenticated direct connection to the FAC's database.
None
Improper access control
FortiAuthenticator 6.3.2 and below.FortiAuthenticator 6.2.x.FortiAuthenticator 6.1.x.FortiAuthenticator 6.0.x.
Please upgrade to FortiAuthenticator 6.4.0 or above.Please upgrade to FortiAuthenticator 6.3.3 or above.
Fortinet is pleased to thank Steven Shockley for reporting this issue under responsible disclosure.
FortiAuthenticator 6.3.2
FortiAuthenticator 6.3.1
FortiAuthenticator 6.3.0
FortiAuthenticator 6.2.2
FortiAuthenticator 6.2.1
FortiAuthenticator 6.2.0
FortiAuthenticator 6.1.3
FortiAuthenticator 6.1.2
FortiAuthenticator 6.1.1
FortiAuthenticator 6.1.0
FortiAuthenticator 6.0.8
FortiAuthenticator 6.0.7
FortiAuthenticator 6.0.6
FortiAuthenticator 6.0.5
FortiAuthenticator 6.0.4
FortiAuthenticator 6.0.3
FortiAuthenticator 6.0.2
FortiAuthenticator 6.0.1
FortiAuthenticator 6.0.0
FortiAuthenticator - Improper access control in HA service
CVE-2021-36177
FortiAuthenticator-6.3.2
FortiAuthenticator-6.3.1
FortiAuthenticator-6.3.0
FortiAuthenticator-6.2.2
FortiAuthenticator-6.2.1
FortiAuthenticator-6.2.0
FortiAuthenticator-6.1.3
FortiAuthenticator-6.1.2
FortiAuthenticator-6.1.1
FortiAuthenticator-6.1.0
FortiAuthenticator-6.0.8
FortiAuthenticator-6.0.7
FortiAuthenticator-6.0.6
FortiAuthenticator-6.0.5
FortiAuthenticator-6.0.4
FortiAuthenticator-6.0.3
FortiAuthenticator-6.0.2
FortiAuthenticator-6.0.1
FortiAuthenticator-6.0.0
4.1
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:F/RL:U/RC:C
https://fortiguard.fortinet.com/psirt/FG-IR-20-217
FortiAuthenticator - Improper access control in HA service
Reference>