PT-2021-3708 · Fortinet · Fortimail
Published
2021-06-21
·
Updated
2022-07-12
·
CVE-2021-24020
CVSS v3.1
10
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
FortiMail versions 6.2.0 through 6.2.7
FortiMail versions 6.4.0 through 6.4.4
Description
A missing cryptographic step in the implementation of the hash digest algorithm in FortiMail may allow an unauthenticated attacker to tamper with signed URLs by appending further data, which allows bypass of signature verification. This issue is related to errors in encryption in the hash algorithm, potentially enabling a remote attacker to bypass cryptographic protection mechanisms and elevate privileges.
Recommendations
For FortiMail versions 6.2.0 through 6.2.7, update to a version that includes the fix for the missing cryptographic step in the hash digest algorithm implementation.
For FortiMail versions 6.4.0 through 6.4.4, update to a version that includes the fix for the missing cryptographic step in the hash digest algorithm implementation.
As a temporary workaround, consider restricting access to signed URLs to minimize the risk of exploitation.
Fix
Improper Verification of Cryptographic Signature
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Fortimail