FortiMail admin privilegie elevation through improper user profile control

Summary

Two improper access control vulnerabilities in FortiMail admin webUI may allow administrators to perform privileged functions they should not be authorized for.

Specifically, the two vulnerabilities are identified as the following:
CVE-2019-15712: improper access control to web console
CVE-2019-15707: improper access control to system backup config download

Affected Products

FortiMail 6.2.0, 6.0.0 to 6.0.6, 5.4.10 and below.

Solutions

Upgrade to 6.2.1, 6.0.7 or 5.4.11
After upgrading to the patched version:
* web console in admin webUI will be controlled by the following profile setting:
config system accprofile
set others read, read-write or none
end
* system config downloading will be controlled by the following profile setting:
config system accprofile
set system read, read-write or none
end
Revision History:
2019-10-18 Initial version
2020-01-03 New fix on 5.4.11 released

Acknowledgement

Fortinet is pleased to thank Danilo Costa from PBI Dynamic IT Security for reporting this vulnerability under responsible disclosure.