CVE-2022-39948

Name of the Vulnerable Software and Affected Versions FortiOS versions 7.2.0 through 7.2.3 FortiOS versions 7.0.0 through 7.0.7 FortiOS version 6.4 and earlier FortiOS version 6.2 and earlier FortiOS version 6.0 and earlier FortiProxy versions 7.0.0 through 7.0.6 FortiProxy version 2.0 and earlier FortiProxy version 1.2 and earlier

Description The issue is related to improper certificate validation, which may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the FortiOS/FortiProxy device and remote servers hosting threat feeds. This attack is possible when the remote servers are configured as Fabric connectors in FortiOS/FortiProxy.

Recommendations For FortiOS versions 7.2.0 through 7.2.3, update to a version outside of this range to resolve the issue. For FortiOS versions 7.0.0 through 7.0.7, update to a version outside of this range to resolve the issue. For FortiOS version 6.4 and earlier, update to a version later than 6.4 to resolve the issue. For FortiOS version 6.2 and earlier, update to a version later than 6.2 to resolve the issue. For FortiOS version 6.0 and earlier, update to a version later than 6.0 to resolve the issue. For FortiProxy versions 7.0.0 through 7.0.6, update to a version outside of this range to resolve the issue. For FortiProxy version 2.0 and earlier, update to a version later than 2.0 to resolve the issue. For FortiProxy version 1.2 and earlier, update to a version later than 1.2 to resolve the issue.