PSIRT

SSH authentication bypass when RADIUS authentication is used

Summary

An authentication bypass by assumed-immutable data vulnerability [CWE-302] in the FortiOS SSH login component may allow a remote and unauthenticated attacker to login into the device via sending specially crafted Access-Challenge response from the Radius server.

Version	Affected	Solution
FortiOS 7.2	7.2.0 through 7.2.1	Upgrade to 7.2.2 or above
FortiOS 7.0	7.0.0 through 7.0.7	Upgrade to 7.0.8 or above
FortiOS 6.4	6.4.0 through 6.4.9	Upgrade to 6.4.10 or above
FortiOS 6.2	6.2 all versions	Upgrade to 6.2.13 or above
FortiOS 6.0	6.0 all versions	Migrate to a fixed release
FortiProxy 7.2	Not affected	Not Applicable
FortiProxy 7.0	7.0.0 through 7.0.6	Upgrade to 7.0.7 or above
FortiProxy 2.0	2.0.0 through 2.0.10	Upgrade to 2.0.11 or above
FortiProxy 1.2	1.2 all versions	Migrate to a fixed release
FortiProxy 1.1	Not affected	Not Applicable

Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

Acknowledgement

Fortinet is pleased to thank Egbert Nijmeijer from ICT Teamwork for reporting this vulnerability under responsible disclosure.

Timeline

2022-12-06: Initial publication

IR Number	FG-IR-22-255
Published Date	Dec 6, 2022
Severity	High
CVSSv3 Score	7.7
Impact	Improper access control
CVE ID
Download	CVRF

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

PSIRT

SSH authentication bypass when RADIUS authentication is used

Summary

Acknowledgement

Timeline

Research Center

Services

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

Threat Intelligence Center

Support Center

Resource Center

About

PSIRT

SSH authentication bypass when RADIUS authentication is used

Summary

Acknowledgement

Timeline

Threat Intelligence
Center