PSIRT Advisories

Multiple products - Lack of certificate verification when establishing secure connections

Summary

An improper certificate validation vulnerability [CWE-295] in FortiOS, FortiAnalyzer, FortiManager, and FortiSandbox may allow a network adjacent and unauthenticated attacker to man-in-the-middle the communication between the listed products and some external peers.

Affected Products

FortiOS versions 6.2.x
FortiOS versions 6.0.x
FortiOS versions 5.6.x
FortiManager version 7.0.1 and below.
FortiManager version 6.4.6 and below.
FortiAnalyzer version 7.0.2 and below.
FortiAnalyzer version 6.4.7 and below.
FortiSandbox versions 4.0.x.
FortiSandbox versions 3.2.x.
FortiSandbox versions 3.1.5 and below.

Solutions

Please upgrade to FortiOS version 7.0.0 or above.
Please upgrade to FortiOS version 6.4.0 or above.
Please upgrade to FortiManager version 7.0.2 or above.
Please upgrade to FortiManager version 6.4.7 or above.
Please upgrade to FortiAnalyzer version 7.0.3 or above.
Please upgrade to FortiAnalyzer version 6.4.8 or above.
Please upgrade to FortiSandbox version 4.2.0 or above