CVE-2022-35843

Name of the Vulnerable Software and Affected Versions FortiOS versions 6.0 through 7.2.0 FortiOS versions 6.2 through 6.4.9 FortiProxy versions 1.2.0 through 2.0.10 FortiProxy versions 7.0.0 through 7.0.5

Description The issue is related to an authentication bypass by assumed-immutable data vulnerability in the SSH login component. This may allow a remote and unauthenticated attacker to login into the device via sending specially crafted Access-Challenge response from the Radius server.

Recommendations For FortiOS versions 6.0 through 7.2.0, update to a version that includes the fix for this issue. For FortiOS versions 6.2 through 6.4.9, update to a version that includes the fix for this issue. For FortiProxy versions 1.2.0 through 2.0.10, update to a version that includes the fix for this issue. For FortiProxy versions 7.0.0 through 7.0.5, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the SSH login component until a patch is available. Avoid using the Radius server to send Access-Challenge responses to the affected devices until the issue is resolved.