Lack of certificate verification when establishing secure connections to external end-points
Summary
An improper certificate validation vulnerability [CWE-295] in FortiOS may allow a network adjacent and unauthenticated attacker to man-in-the-middle the communication between the FortiGate and some peers such as private SDNs and external cloud platforms.
Affected Products
FortiOS version 6.0.0 through 6.0.14
FortiOS version 6.2.0 through 6.2.10
FortiOS version 6.4.0 through 6.4.8
FortiOS version 7.0.0
Solutions
Please upgrade to FortiOS version 7.0.1 or above.
Please upgrade to FortiOS version 6.4.9 or above.
Timeline
2022-05-03: Initial publication