FortiMail admin privilege escalation through improper user profile control

Summary

Two improper access control vulnerabilities in FortiMail admin webUI may allow administrators to perform privileged functions they should not be authorized for.

Specifically, the two vulnerabilities are identified as the following:
CVE-2019-15712: improper access control to web console
CVE-2019-15707: improper access control to system backup config download

Affected Products

FortiMail 6.2.0, 6.0.0 to 6.0.6, 5.4.10 and below.

Solutions

Upgrade to 6.2.1, 6.0.7 or 5.4.11 After upgrading to the patched version: * web console in admin webUI will be controlled by the following profile setting: config system accprofile set others read, read-write or none end * system config downloading will be controlled by the following profile setting: config system accprofile set system read, read-write or none end Revision History: 2019-10-18 Initial version 2020-01-03 New fix on 5.4.11 released

Acknowledgement

Fortinet is pleased to thank Danilo Costa from PBI Dynamic IT Security for reporting this vulnerability under responsible disclosure.