PSIRT Advisory

FortiManager TLS certificate validation failure

Summary

FortiManager does not properly validate TLS certificates when probing for devices to administer. This leads to potential pre-shared secret exposure.

Description

FortiManager does not properly validate TLS certificates when probing for devices to administer. This leads to potential pre-shared secret exposure.

Impact

Credentials exposure

Affected Products

FortiManager 5.0.6 to 5.2.7 and 5.4.0 to 5.4.1.

Solutions

Upgrade to FMG 5.2.8 and 5.4.2

Acknowledgement

Fortinet is pleased to thank the AirBus security team for reporting this vulnerability under responsible disclosure