Syslog not protected by an extra layer of authentication

Summary

A insufficient verification of data authenticity vulnerability [CWE-345] in FortiAnalyzer, FortiAnalyzer-BigData and FortiManager with FortiAnalyzer features may allow a remote unauthenticated attacker to send messages to the syslog server of FortiAnalyzer via the knoweldge of an authorized device serial number.

Affected Products

FortiAnalyzer-BigData version 7.2.0 through 7.2.5
FortiAnalyzer-BigData 7.0 all versions
FortiAnalyzer-BigData 6.4 all versions
FortiAnalyzer-BigData 6.2 all versions
FortiManager version 7.4.0
FortiManager version 7.2.0 through 7.2.3
FortiManager version 7.0.0 through 7.0.9
FortiManager 6.4 all versions
FortiManager 6.2 all versions
FortiAnalyzer version 7.4.0
FortiAnalyzer version 7.2.0 through 7.2.3
FortiAnalyzer version 7.0.0 through 7.0.9
FortiAnalyzer 6.4 all versions
FortiAnalyzer 6.2 all versions

Solutions

Please upgrade to FortiAnalyzer-BigData version 7.4.0 or above
Please upgrade to FortiAnalyzer-BigData version 7.2.6 or above
Please upgrade to FortiManager version 7.4.1 or above
Please upgrade to FortiManager version 7.2.4 or above
Please upgrade to FortiManager version 7.0.10 or above
Please upgrade to FortiAnalyzer version 7.4.1 or above
Please upgrade to FortiAnalyzer version 7.2.4 or above
Please upgrade to FortiAnalyzer version 7.0.10 or above

AND

Configure the "un-encrypted-logging" option to disable receiving syslog without encryption through UDP(514) or TCP(514).

config system log setting
set un-encrypted-logging disable

Acknowledgement

Internally discovered and reported by Francesco Pesare from Fortinet's professional services team.

Timeline

2023-10-02: Initial publication

2023-10-30: Adding FortiManager with FortiAnalyzer features