PSIRT Advisory

FortiAnalyzer could potentially be used in NTP amplification attacks

Summary

An insufficient control of network message volume (CWE-406) vulnerability in FortiAnalyzer may allow an unauthenticated remote attacker to perform NTP amplification attacks (thereby causing reflected denial of service on arbitrary targets) via sending specially crafted mode 6 queries to the FortiAnalyzer built-in NTP server.

Impact

DoS, NTP amplification attacks

Affected Products

FortiAnalyzer 6.4.0, 6.2.3 and below (*)


* only models that support FortiRecorder management are impacted:


FAZ_200F

FAZ_300F

FAZ_400E

FAZ_800F.

FAZ_1000E

FAZ_1000F

FAZ_2000E

FAZ_3000F

FAZ_3500G

FAZ_3700F

FAZ_VM64

FAZ_VM64_KVM

Solutions

Upgrade to FortiAnalyzer 6.2.4 or 6.4.1