PSIRTLack of certificate verification when establishing secure connections
Summary
An improper certificate validation vulnerability [CWE-295] in FortiAnalyzer, FortiManager, and FortiSandbox may allow a network adjacent and unauthenticated attacker to man-in-the-middle the communication between the listed products and some external peers.
| Version | Affected | Solution |
|---|---|---|
| FortiAnalyzer 7.0 | 7.0.0 through 7.0.2 | Upgrade to 7.0.3 or above |
| FortiAnalyzer 6.4 | 6.4.0 through 6.4.7 | Upgrade to 6.4.8 or above |
| FortiAnalyzer 6.2 | 6.2 all versions | Migrate to a fixed release |
| FortiAnalyzer 6.0 | 6.0 all versions | Migrate to a fixed release |
| FortiManager 7.0 | 7.0.0 through 7.0.1 | Upgrade to 7.0.2 or above |
| FortiManager 6.4 | 6.4.0 through 6.4.6 | Upgrade to 6.4.7 or above |
| FortiManager 6.2 | 6.2.0 through 6.2.11 | Migrate to a fixed release |
| FortiManager 6.0 | 6.0 all versions | Migrate to a fixed release |
| FortiOS 6.4 | Not affected | Not Applicable |
| FortiOS 6.2 | 6.2.0 through 6.2.15 | Migrate to a fixed release |
| FortiOS 6.0 | 6.0.0 through 6.0.17 | Migrate to a fixed release |
| FortiOS 5.6 | 5.6.10 through 5.6.14 | Migrate to a fixed release |
| FortiSandbox 4.2 | Not affected | Not Applicable |
| FortiSandbox 4.0 | 4.0.0 through 4.0.2 | Upgrade to 4.0.3 or above |
| FortiSandbox 3.2 | 3.2 all versions | Migrate to a fixed release |
| FortiSandbox 3.1 | 3.1 all versions | Migrate to a fixed release |
| FortiSandbox 3.0 | 3.0 all versions | Migrate to a fixed release |