CVE-2019-5593

Name of the Vulnerable Software and Affected Versions FortiOS versions 5.6.10 and below FortiOS versions 6.0.0 through 6.0.6 FortiOS version 6.2.0 FortiOS version 6.2.1

Description The issue is related to improper permission or value checking in the CLI console, which may allow a non-privileged user to obtain plain text private keys of the system's built-in local certificates or user-uploaded local certificates. This can be achieved by unsetting the keys encryption password or by setting an empty password. Additionally, backed up config files can be restored onto a vulnerable version of FortiOS to obtain the plaintext versions of local certificates private keys encrypted in those config files.

Recommendations For FortiOS versions 5.6.10 and below, update to a version that includes a fix for this issue. For FortiOS versions 6.0.0 through 6.0.6, update to a version that includes a fix for this issue. For FortiOS version 6.2.0, update to a version that includes a fix for this issue. For FortiOS version 6.2.1, update to a version that includes a fix for this issue. As a temporary workaround, consider restricting access to the CLI console to minimize the risk of exploitation. Avoid using empty passwords for user-uploaded local certificates and ensure that keys encryption passwords are properly set.