The following is a list of advisories for issues resolved in Fortinet products. The resolution of such issues is coordinated by the Fortinet Product Security Incident Response Team (PSIRT), a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Fortinet products and services.
-
A path traversal vulnerability [CWE-22] in FortiAP-U CLI may allow an admin user to delete and access unauthorized files and data via specifically crafted CLI commands.
-
An execution with unnecessary privileges vulnerability [CWE-250] in FortiClientWindows may allow a local attacker to perform an arbitrary file write on the system.
-
Security advisories were released affecting the version of Apache Airflow library used in some Fortinet products:
CVE-2020-13927:
The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache.org/docs/1.10.11/security.html#api-authentication. Note this change fixes it for new installs but existing users need to change their config to default `[api]auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide: https://github.com/apache/airflow/blob/1.10.11/UPDATING.md#experimental-api-will-deny-all-request-by-default
CVE-2020-11982:
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and thus remote code execution) on the Worker.
CVE-2020-11981:
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
CVE-2021-35936:
If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also binds on 0.0.0.0 by default. This logging server had no authentication and allows reading log files of DAG jobs. This issue affects Apache Airflow 2.1.2.
CVE-2021-28359:
The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions 1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as CVE-2020-13944 & CVE-2020-17515 but the implemented fix did not fix the issue completely. Update to Airflow 1.10.15 or 2.0.2. Please also update your Python version to the latest available PATCH releases of the installed MINOR versions, example update to Python 3.6.13 if you are on Python 3.6. (Those contain the fix for CVE-2021-23336 https://nvd.nist.gov/vuln/detail/CVE-2021-23336).
CVE-2020-17526:
Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have changed the default value for `[webserver] secret_key` config.
CVE-2020-17513:
In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack.
-
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiAuthenticator OWA Agent may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests.
-
An improper validation of certificate with host mismatch vulnerability [CWE-297] in FortiTokenMobile may allow an unauthenticated user to spoof the validation server identity and achieve a Man-in-the-Middle attack.
-
An improper certificate validation vulnerability [CWE-295] in FortiOS, FortiAnalyzer, FortiManager, and FortiSandbox may allow a network adjacent and unauthenticated attacker to man-in-the-middle the communication between the listed products and some external peers.
-
A use of hard-coded cryptographic key vulnerability [CWE-321] in FortiDDoS API may allow an attacker who managed to retrieve the key from one device to sign JWT tokens for any device.
-
An external control of file name or path vulnerability [CWE-73] in FortiClient Windows may allow an unprivileged attacker to delete or execute files with admin rights via the MSI installer.
-
An improper access control vulnerability [CWE-284] in FortiSOAR may allow an unauthenticated attacker to access gateway API data via crafted HTTP GET requests.
-
An improper access control vulnerability [CWE-284] in FortiIsolator may allow an authenticated, non privileged attacker to regenerate the CA certificate via the regeneration URL.
-
An improper access control vulnerability [CWE-284] in FortiOS may allow an authenticated attacker with a restricted user profile to gather sensitive information and modify the SSL-VPN tunnel status of other VDOMs using specific CLI commands.
-
Multiple improper neutralization of special elements used in SQL commands ('SQL Injection') vulnerability [CWE-89] in FortiNAC may allow an authenticated attacker to execute unauthorized code or commands via specifically crafted strings parameters.
-
A server-generated error message containing sensitive information vulnerability [CWE-550] in FortiOS and FortiProxy web proxy may allow a malicious webserver to retrieve a web proxy's client username and IP via same origin HTTP requests triggering proxy-generated HTTP status codes pages.
-
An improper certificate validation vulnerability [CWE-295] in FortiOS may allow a network adjacent and unauthenticated attacker to man-in-the-middle the communication between the FortiGate and some peers such as private SDNs and external cloud platforms.
-
Some advisories were released affecting the version of PJSIP library used in some Fortinet products:
CVE-2021-43845:
PJSIP is a free and open source multimedia communication library. In version 2.11.1 and prior, if incoming RTCP XR message
contain block, the data field is not checked against the received packet size, potentially resulting in an out-of-bound read access.
This affects all users that use PJMEDIA and RTCP XR. A malicious actor can send a RTCP XR message with an invalid packet size.
CVE-2021-37706:
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols
such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all users that use STUN. A malicious actor located within the victims network may forge and send a specially crafted UDP (STUN) message that could remotely execute arbitrary code on the victims machine. Users are advised to upgrade as soon as possible. There are no known workarounds.
CVE-2021-43804:
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming RTCP BYE message contains a reason's length, this declared length is not checked against the actual received packet size, potentially resulting in an out-of-bound read access. This issue affects all users that use PJMEDIA and RTCP. A malicious actor can send a RTCP BYE message with an invalid reason length. Users are advised to upgrade as soon as possible. There are no known workarounds.
CVE-2021-32686:
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and destroy, due to the accepted socket having no group lock. Second, the SSL socket parent/listener may get destroyed during handshake. Both issues were reported to happen intermittently in heavy load TLS connections. They cause a crash, resulting in a denial of service. These are fixed in version 2.11.1.
CVE-2021-21375:
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP version 2.10 and earlier, after an initial INVITE has been sent, when two 183 responses are received, with the first one causing negotiation failure, a crash will occur. This results in a denial of service.
CVE-2020-15260:
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In version 2.10 and earlier, PJSIP transport can be reused if they have the same IP address + port + protocol. However, this is insufficient for secure transport since it lacks remote hostname authentication. Suppose we have created a TLS connection to `sip.foo.com`, which has an IP address `100.1.1.1`. If we want to create a TLS connection to another hostname, say `sip.bar.com`, which has the same IP address, then it will reuse that existing connection, even though `100.1.1.1` does not have certificate to authenticate as `sip.bar.com`. The vulnerability allows for an insecure interaction without user awareness. It affects users who need access to connections to different destinations that translate to the same address, and allows man-in-the-middle attack if attacker can route a connection to another destination such as in the case of DNS spoofing.
-
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiProxy and FortiOS web filter override form may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests.
-
A use of a broken or risky cryptographic algorithm vulnerability [CWE-327] in the Dynamic Tunnel Protocol of FortiWAN may allow an unauthenticated remote attacker to decrypt and forge protocol communication messages.
-
Multiple stack-based buffer overflow vulnerabilities [CWE-121] both in network daemons and in the command line interpreter of FortiWAN may allow an unauthenticated attacker to potentially corrupt control data in memory and execute arbitrary code via specifically crafted requests.
-
Multiple improper neutralization of special elements used in an SQL command vulnerabilities in FortiWAN may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
-
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiWAN may allow an attacker to perform a stored cross-site scripting attack via specifically crafted HTTP requests.
-
A use of a one-way hash with a predictable salt vulnerability [CWE-760] in FortiWAN may allow an attacker who has previously come in possession of the password file to potentially guess passwords therein stored.
-
Multiple improper neutralization of special elements used in an OS command vulnerabilities (CWE-78) in FortiWAN Web GUI may allow an authenticated attacker to execute arbitrary commands on the underlying system's shell via specifically crafted HTTP requests.
-
A use of hard-coded cryptographic key vulnerability [CWE-321] in the registration mechanism of FortiEDR collectors may allow a local attacker to disable and uninstall the collectors from the end-points within the same deployment.
-
A use of hard-coded cryptographic key vulnerability [CWE-321] in FortiEDR may allow an unauthenticated attacker on the network to disguise as and forge messages from other collectors.
-
An improper control of a resource through its lifetime [CWE-664] vulnerability in FortiEDR Collector may allow a privileged attacker to make the application unresponsive via changing its root directory access permission.