PT-2023-7378 · Fortinet · Fortianalyzer+2
Published
2023-04-11
·
Updated
2023-04-18
·
CVE-2023-22642
CVSS v3.1
8.1
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
FortiAnalyzer and FortiManager versions 6.4.8 through 6.4.10
FortiAnalyzer and FortiManager versions 7.0.0 through 7.0.5
FortiAnalyzer and FortiManager versions 7.2.0 through 7.2.1
Description
The issue is related to an improper certificate validation, which may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the device and the remote FortiGuard server hosting outbreak alert resources.
Recommendations
For FortiAnalyzer and FortiManager versions 6.4.8 through 6.4.10, update to a version that includes the fix for the improper certificate validation vulnerability.
For FortiAnalyzer and FortiManager versions 7.0.0 through 7.0.5, update to a version that includes the fix for the improper certificate validation vulnerability.
For FortiAnalyzer and FortiManager versions 7.2.0 through 7.2.1, update to a version that includes the fix for the improper certificate validation vulnerability.
As a temporary workaround, consider restricting access to the communication channel between the device and the remote FortiGuard server to minimize the risk of exploitation.
Fix
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Fortianalyzer
Fortiguard
Fortimanager