FortiToken Mobile (Android) - Deny request approved from External push notification
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-21-210
Final
1
1
2022-03-01T00:00:00
Current version
2022-03-01T00:00:00
2022-03-01T00:00:00
An improper access control vulnerability [CWE-284 ] in FortiToken Mobile (Android) external push notification may allow a remote attacker having already obtained a user's password to access the protected system during the 2FA procedure, even though the deny button is clicked by the legitimate user.
None
Improper access control
FortiTokenAndroid 5.1 all versionsFortiTokenAndroid 5.0 all versionsFortiTokenAndroid 4.5 all versionsFortiTokenAndroid 4.4 all versionsFortiTokenAndroid 4.3 all versionsFortiTokenAndroid 4.2 all versionsFortiTokenAndroid 4.1 all versionsFortiTokenAndroid 4.0 all versions
Please upgrade to version 5.2.0 or above.
Fortinet is pleased to thank Gerard Gerritsen from Gemeente Ede for reporting this vulnerability under responsible disclosure.
FortiTokenAndroid 5.1.0
FortiTokenAndroid 5.0.3
FortiTokenAndroid 5.0.2
FortiTokenAndroid 4.5.0
FortiTokenAndroid 4.4.0
FortiTokenAndroid 4.3.0
FortiTokenAndroid 4.2.2
FortiTokenAndroid 4.2.1
FortiTokenAndroid 4.1.1
FortiTokenAndroid 4.0.1
FortiTokenAndroid 4.0.0
FortiToken Mobile (Android) - Deny request approved from External push notification
CVE-2021-44166
FortiTokenAndroid-5.1.0
FortiTokenAndroid-5.0.3
FortiTokenAndroid-5.0.2
FortiTokenAndroid-4.5.0
FortiTokenAndroid-4.4.0
FortiTokenAndroid-4.3.0
FortiTokenAndroid-4.2.2
FortiTokenAndroid-4.2.1
FortiTokenAndroid-4.1.1
FortiTokenAndroid-4.0.1
FortiTokenAndroid-4.0.0
3.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N/E:F/RL:U/RC:R
https://fortiguard.fortinet.com/psirt/FG-IR-21-210
FortiToken Mobile (Android) - Deny request approved from External push notification
Reference>