PSIRT Advisories

FortiTester - Undocumented shell command

Summary

A hidden functionality vulnerability [CWE-1242] in FortiTester CLI may allow a local, privileged user to obtain a root shell on the device via an undocumented command.

Affected Products

FortiTester version 7.1.0
FortiTester version 7.0.0
FortiTester version 4.2.0
FortiTester version 4.1.0 through 4.1.1
FortiTester version 4.0.0
FortiTester version 3.9.0 through 3.9.1
FortiTester version 3.8.0
FortiTester version 3.7.0 through 3.7.1
FortiTester version 3.6.0
FortiTester version 3.5.0 through 3.5.1
FortiTester version 3.4.0
FortiTester version 3.3.0 through 3.3.1
FortiTester version 3.2.0
FortiTester version 3.1.0
FortiTester version 3.0.0
FortiTester version 2.9.0
FortiTester version 2.8.0
FortiTester version 2.7.0
FortiTester version 2.6.0
FortiTester version 2.5.0
FortiTester version 2.4.0 through 2.4.1
FortiTester version 2.3.0

Solutions

Please upgrade to FortiTester version 7.2.0 or above
Please upgrade to FortiTester version 7.1.1 or above
Please upgrade to FortiTester version 4.2.1 or above
Please upgrade to FortiTester version 3.9.2 or above

Acknowledgement

Internally discovered and reported by Wilfried Djettchou of Fortinet Product Security team.