FortiOS & FortiProxy - SSH authentication bypass when RADIUS authentication is used

Summary

An authentication bypass by assumed-immutable data vulnerability [CWE-302] in the FortiOS SSH login component may allow a remote and unauthenticated attacker to login into the device via sending specially crafted Access-Challenge response from the Radius server.

Affected Products

FortiProxy version 7.0.0 through 7.0.6
FortiProxy version 2.0.0 through 2.0.10
FortiProxy 1.2 all versions
FortiOS version 7.2.0 through 7.2.1
FortiOS version 7.0.0 through 7.0.7
FortiOS version 6.4.0 through 6.4.9
FortiOS 6.2 all versions
FortiOS 6.0 all versions

Solutions

Please upgrade to FortiOS version 7.2.2 or above
Please upgrade to FortiOS version 7.0.8 or above
Please upgrade to FortiOS version 6.4.10 or above
Please upgrade to upcoming FortiOS version 6.2.13 or above
Please upgrade to FortiProxy version 7.0.7 or above
Please upgrade to FortiProxy version 2.0.11 or above

Acknowledgement

Fortinet is pleased to thank Egbert Nijmeijer from ICT Teamwork for reporting this vulnerability under responsible disclosure.