FortiOS - Missing certificate CN/SAN validation leads to information disclosure
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-21-074
Final
1
1
2021-11-02T00:00:00
Current version
2021-11-02T00:00:00
2021-11-02T00:00:00
An improper validation of certificate with host mismatch [CWE-297] vulnerability in FortiOS may allow the connection to a malicious LDAP server via options in GUI, leading to disclosure of sensitive information, such as AD credentials.
Information disclosure
FortiGate version 7.0.1 and below. FortiGate version 6.4.6 and below. FortiGate version 6.2.9 and below.
Please upgrade to FortiGate version 7.0.2 or above. Please upgrade to FortiGate version 6.4.7 or above. Please upgrade to FortiGate version 6.2.10 or above.
Fortinet is pleased to thank John Headley from VPLS for reporting this vulnerability under responsible disclosure.
FortiOS 7.0.1
FortiOS 7.0.0
FortiOS 6.4.6
FortiOS 6.4.5
FortiOS 6.4.4
FortiOS 6.4.3
FortiOS 6.4.2
FortiOS 6.4.1
FortiOS 6.4.0
FortiOS 6.2.9
FortiOS 6.2.8
FortiOS 6.2.7
FortiOS 6.2.6
FortiOS 6.2.5
FortiOS 6.2.4
FortiOS 6.2.3
FortiOS 6.2.2
FortiOS 6.2.1
FortiOS - Missing certificate CN/SAN validation leads to information disclosure
CVE-2021-41019
FortiOS-7.0.1
FortiOS-7.0.0
FortiOS-6.4.6
FortiOS-6.4.5
FortiOS-6.4.4
FortiOS-6.4.3
FortiOS-6.4.2
FortiOS-6.4.1
FortiOS-6.4.0
FortiOS-6.2.9
FortiOS-6.2.8
FortiOS-6.2.7
FortiOS-6.2.6
FortiOS-6.2.5
FortiOS-6.2.4
FortiOS-6.2.3
FortiOS-6.2.2
FortiOS-6.2.1
3.2
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C
https://fortiguard.fortinet.com/psirt/FG-IR-21-074
FortiOS - Missing certificate CN/SAN validation leads to information disclosure
Reference>