FortiPortal - Insecure password generation

Summary

The use of a cryptographically weak pseudo-random number generator (CWE-338) in the password reset feature of FortiPortal may allow a remote unauthenticated attacker to predict parts of or the whole newly generated password within a given time frame.

Affected Products

FortiPortal version 6.0.5 and below.
FortiPortal version 5.3.6 and below.
FortiPortal version 5.2.6 and below.
FortiPortal version 5.1.2 and below.
FortiPortal version 5.0.3 and below.
FortiPortal version 4.2.4 and below.
FortiPortal version 4.1.2 and below.
FortiPortal version 4.0.4 and below.

Solutions

Upgrade to FortiPortal version 6.0.6 or above.
Upgrade to FortiPortal version 5.3.7 or above.
Upgrade to FortiPortal version 5.2.7 or above.

Acknowledgement

Internally discovered and reported by Giuseppe Cocomazzi of Fortinet Product Security team.