CVE-2024-50565

Name of the Vulnerable Software and Affected Versions: Fortinet FortiOS versions 6.2.0 through 6.2.16 Fortinet FortiOS versions 6.4.0 through 6.4.15 Fortinet FortiOS versions 7.0.0 through 7.0.14 Fortinet FortiOS versions 7.2.0 through 7.2.7 Fortinet FortiOS versions 7.4.0 through 7.4.3 Fortinet FortiProxy versions 2.0.0 through 2.0.14 Fortinet FortiProxy versions 7.0.0 through 7.0.15 Fortinet FortiProxy versions 7.2.0 through 7.2.9 Fortinet FortiProxy versions 7.4.0 through 7.4.2 Fortinet FortiManager versions 6.2.0 through 6.2.13 Fortinet FortiManager versions 6.2.13 Fortinet FortiManager versions 6.4.0 through 6.4.14 Fortinet FortiManager versions 7.0.0 through 7.0.11 Fortinet FortiManager versions 7.2.0 through 7.2.4 Fortinet FortiManager versions 7.4.0 through 7.4.2 Fortinet FortiAnalyzer versions 6.2.0 through 6.2.13 Fortinet FortiAnalyzer versions 6.4.0 through 6.4.14 Fortinet FortiAnalyzer versions 7.0.0 through 7.0.11 Fortinet FortiAnalyzer versions 7.2.0 through 7.2.4 Fortinet FortiAnalyzer versions 7.4.0 through 7.4.2 Fortinet FortiVoice versions 6.0.0 through 6.0.12 Fortinet FortiVoice versions 6.4.0 through 6.4.8 Fortinet FortiVoice versions 7.0.0 through 7.0.2 Fortinet FortiWeb versions 7.0.0 through 7.0.10 Fortinet FortiWeb versions 7.2.0 through 7.2.10 Fortinet FortiWeb versions 7.4.0 through 7.4.2

Description: The issue allows an unauthenticated attacker in a man-in-the-middle position to impersonate the management device, such as the FortiCloud server or FortiManager, by intercepting the FGFM authentication request between the management device and the managed device. This is due to an improper restriction of the communication channel to intended endpoints.

Recommendations: For Fortinet FortiOS versions 6.2.0 through 6.2.16, update to a version outside of this range. For Fortinet FortiOS versions 6.4.0 through 6.4.15, update to a version outside of this range. For Fortinet FortiOS versions 7.0.0 through 7.0.14, update to a version outside of this range. For Fortinet FortiOS versions 7.2.0 through 7.2.7, update to a version outside of this range. For Fortinet FortiOS versions 7.4.0 through 7.4.3, update to a version outside of this range. For Fortinet FortiProxy versions 2.0.0 through 2.0.14, update to a version outside of this range. For Fortinet FortiProxy versions 7.0.0 through 7.0.15, update to a version outside of this range. For Fortinet FortiProxy versions 7.2.0 through 7.2.9, update to a version outside of this range. For Fortinet FortiProxy versions 7.4.0 through 7.4.2, update to a version outside of this range. For Fortinet FortiManager versions 6.2.0 through 6.2.13, update to a version outside of this range. For Fortinet FortiManager versions 6.4.0 through 6.4.14, update to a version outside of this range. For Fortinet FortiManager versions 7.0.0 through 7.0.11, update to a version outside of this range. For Fortinet FortiManager versions 7.2.0 through 7.2.4, update to a version outside of this range. For Fortinet FortiManager versions 7.4.0 through 7.4.2, update to a version outside of this range. For Fortinet FortiAnalyzer versions 6.2.0 through 6.2.13, update to a version outside of this range. For Fortinet FortiAnalyzer versions 6.4.0 through 6.4.14, update to a version outside of this range. For Fortinet FortiAnalyzer versions 7.0.0 through 7.0.11, update to a version outside of this range. For Fortinet FortiAnalyzer versions 7.2.0 through 7.2.4, update to a version outside of this range. For Fortinet FortiAnalyzer versions 7.4.0 through 7.4.2, update to a version outside of this range. For Fortinet FortiVoice versions 6.0.0 through 6.0.12, update to a version outside of this range. For Fortinet FortiVoice versions 6.4.0 through 6.4.8, update to a version outside of this range. For Fortinet FortiVoice versions 7.0.0 through 7.0.2, update to a version outside of this range. For Fortinet FortiWeb versions 7.0.0 through 7.0.10, update to a version outside of this range. For Fortinet FortiWeb versions 7.2.0 through 7.2.10, update to a version outside of this range. For Fortinet FortiWeb versions 7.4.0 through 7.4.2, update to a version outside of this range. As a temporary workaround, consider restricting access to the FGFM authentication request between the management device and the managed device until a patch is available.