CVE-2021-41025

Name of the Vulnerable Software and Affected Versions FortiWeb versions 6.0.0 through 6.0.7 FortiWeb versions 6.1.0 through 6.1.2 FortiWeb versions 6.2.0 through 6.2.6 FortiWeb versions 6.3.0 through 6.3.15 FortiWeb versions 6.4.0, 6.4.1

Description Multiple vulnerabilities in the authentication mechanism of confd may allow a remote unauthenticated attacker to circumvent the authentication process and authenticate as a legitimate cluster peer. The vulnerabilities include an instance of concurrent execution using shared resource with improper synchronization and one of authentication bypass by capture-replay.

Recommendations For FortiWeb versions 6.0.0 through 6.0.7, update to a version that includes the fix for the authentication mechanism vulnerabilities. For FortiWeb versions 6.1.0 through 6.1.2, update to a version that includes the fix for the authentication mechanism vulnerabilities. For FortiWeb versions 6.2.0 through 6.2.6, update to a version that includes the fix for the authentication mechanism vulnerabilities. For FortiWeb versions 6.3.0 through 6.3.15, update to a version that includes the fix for the authentication mechanism vulnerabilities. For FortiWeb versions 6.4.0, 6.4.1, update to a version that includes the fix for the authentication mechanism vulnerabilities. As a temporary workaround, consider restricting access to the confd authentication mechanism to minimize the risk of exploitation.