PSIRT Advisories

FortiSandbox - Predictable session IDs of JSON API

Summary

An instance of small space of random values in FortiSandbox RPC API may allow an attacker in possession of a few information pieces about the state of the device to possibly predict valid session IDs.

Affected Products

FortiSandbox version 3.2.2 and below.
FortiSandbox version 3.1.4 and below.

Solutions

Upgrade to FortiSandbox version 4.0.0.

Upgrade to FortiSandbox version 3.2.3.

Acknowledgement

Internally discovered and reported by Giuseppe Cocomazzi of Fortinet PSIRT.