PSIRT Advisory

Potential Information Disclosure Vulnerability in FortiGate

Summary

On January 27, 2012, vulnerability-lab.com publicly released news of discovered vulnerabilities discovered in FortiGate UTM WAF Appliances platforms.

Description

On January 27, 2012, vulnerability-lab.com publicly released news of discovered vulnerabilities discovered in FortiGate UTM WAF Appliances platforms.

Impact

Information Disclosure

Affected Products

Versions of FortiGate appliances believed to be affected include FortiOS v4.3 through FOS 4.3.5. At this time, there is no knowledge of other Fortinet offerings being affected, although precautionary measures are being taken to prevent similar occurrences.

Solutions

Fortinet is working towards an updated firmware release to address the issues.
These issues will be fixed in FortiOS 4.3.6 and higher.
Update March 26, 2012: FortiOS 4.3.6 is now available. Firmware images can be obtained from https://support.fortinet.com .
The following precautions are also recommended:

  • Ensure all GUI sessions use encryption (via HTTPS);
  • Configure the FortiGate to only allow GUI admin access from trusted hosts or networks;
  • If administrative access to FortiGates is required from untrusted hosts, SSH access is recommended as SSH is not affected;
  • Refrain from administering FortiGate appliances from untrusted or shared computers.

For more information, customers are encouraged to contact Customer Support at support@fortinet.com