Improper input validation in custom dataset

Summary

An improper input validation vulnerability [CWE-20] in FortiAnalyzer & FortiManager may allow an authenticated attacker to disclose file system information via custom dataset SQL queries.

Workaround:

If enabled, disabled the FortiAnalyzer features option in FortiManager via:

```

config system global

set faz-status disable

end

```

FortiManager 100C is not impacted due to the absence of FortiAnalyzer features option.

Affected Products

At least

FortiAnalyzer version 7.4.0 through 7.4.1
FortiAnalyzer version 7.2.0 through 7.2.3
FortiAnalyzer version 7.0.0 through 7.0.8
FortiAnalyzer version 6.4.0 through 6.4.12

FortiAnalyzer version 6.2.0 through 6.2.11
At least

FortiManager version 7.4.0 through 7.4.1
FortiManager version 7.2.0 through 7.2.3
FortiManager version 7.0.0 through 7.0.8
FortiManager version 6.4.0 through 6.4.12
FortiManager version 6.2.0 through 6.2.11

Solutions

Please upgrade to upcoming FortiAnalyzer version 7.4.2 or above
Please upgrade to FortiAnalyzer version 7.2.4 or above
Please upgrade to FortiAnalyzer version 7.0.9 or above
Please upgrade to FortiAnalyzer version 6.4.13 or above
Please upgrade to FortiAnalyzer version 6.2.12 or above

Please upgrade to upcoming FortiManager version 7.4.2 or above

Please upgrade to FortiManager version 7.2.4 or above
Please upgrade to FortiManager version 7.0.9 or above
Please upgrade to FortiManager version 6.4.13 or above

Please upgrade to FortiManager version 6.2.12 or above

Acknowledgement

Fortinet is pleased to thank Darmin Blazevic (Fujitsu Services GmbH) for bringing this issue to our attention under responsible disclosure.

Timeline

2023-03-23: Initial publication