Fortinet seals multiple vulnerabilities in numerous products

Fortinet seals multiple vulnerabilities in numerous products

Various vulnerabilities in several Fortinet products could allow attackers to execute arbitrary code, elevate their privileges, or gain unauthorized access to files. The manufacturer supplies updated software to eliminate the problems. Administrators should download and use them quickly.

In FortiNAC there is an unprotected MySQL root account. An empty password in the configuration could allow authenticated attackers to access the MySQL database from the command prompt (CVE-2022-26117, CVSS 8.0risk “high“). Affected are FortiNAC from version 8.3.7 up to 9.2.3; the versions 9.1.6 such as 9.2.4 and newer fix the error. Several path-traversal vulnerabilities could allow registered malicious web actors with manipulated web requests into FortiDeceptor Abuse to download or delete any file (CVE-2022-30302, CVSS 7.9, high). version 1.0.0 until 4.0.1 contain the error that stands 3.3.3, 4.0.2 respectively 4.1.0 contain the corrections made by the developers.

Also due to a path traversal vulnerability, attackers are able to FortiClient for Windows via the so-called named pipe, which is responsible for the FortiESNAC service, to extend its rights to SYSTEM (CVE-2021-41031, CVSS 7.8, high). FortiClient for Windows 6.2.0 until 7.0.2 are faulty. The developers close the gap in the versions 6.4.7, 7.0.3 and newer.

A copy action of a buffer without checking the size – the classic buffer overflow – could allow privileged malicious actors in FortiAnalyzer, FortiManager, FortiOS and FortiProxy allow arbitrary code or commands to be manipulated using command line commands execute restore image and execute certificate remote via TFTP (CVE-2021-43072, CVSS 7.4, high). are affected FortiAnalyzer and Forti Manager 5.6.0 until 7.0.2who fix the bug versions 6.4.8 and 7.0.3. at FortiOS are 6.0.0 until 7.0.5 vulnerable to stand as an update 6.2.11, 6.4.9, 7.0.6 and 7.2.0 to disposal. Finally, users of FortiProxy 1.0.0 until 7.0.3 to close the weak points on the stands 2.0.9, 7.0.4 or update newer.

The manufacturer is filling in further gaps of less dangerous severity FortiAnalyzer and FortiManager 6.4.8, 7.0.4 such as 7.2.0 (CVE-2022-27483, CVSS 6.8, medium; CVE-2022-26118, CVSS 6.5, medium), FortiOS 6.2.11, 6.4.9 such as 7.0.4 and FortiProxy 2.0.8 (CVE-2021-44170, CVSS 6.3, medium), FortiADC 6.2.3 and 7.0.2 (CVE-2022-26120, CVSS 5.1, medium), FortiEDR Central Manager 5.0.3 patch 7 and 5.2.0 (CVE-2022-29057, CVSS 5.1, medium) away.

In addition, the developers have fixed a security-related problem in the dhcpd daemon of FortiOS, FortiProxy, FortiSwitch, FortiRecorder and FortiVoiceEnterprise (CVE-2021-42755, CVSS 4.2, medium). The updated versions continue to close FortiGate 7.0.6 and 7.2.0 a cross-site scripting vulnerability in previous versions (CVE-2022-23438, CVSS 3.9, low).

Linux desktop environment: Unity 7.6 with a slight visual polish Previous post Linux desktop environment: Unity 7.6 with a slight visual polish
Ethereum mining: Many graphics cards continue to mine Next post Ethereum mining: Many graphics cards continue to mine