FortiOS & FortiProxy - Lack of certificate verification when establishing secure connections with threat feed fabric connectors

Summary

An improper certificate validation vulnerability [CWE-295] in FortiOS and FortiProxy may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the FortiOS/FortiProxy device and remote servers hosting threat feeds (when the latter are configured as Fabric connectors in FortiOS/FortiProxy)

Affected Products

FortiProxy version 7.0.0 through 7.0.6
FortiProxy version 2.0 all versions
FortiProxy version 1.2 all versions
FortiOS version 7.2.0 through 7.2.3
FortiOS version 7.0.0 through 7.0.7
FortiOS version 6.4 all versions
FortiOS version 6.2 all versions
FortiOS version 6.0 all versions

Solutions

Please upgrade to FortiProxy version 7.2.0 or above
Please upgrade to FortiProxy version 7.0.7 or above
Please upgrade to FortiOS version 7.2.4 or above
Please upgrade to FortiOS version 7.0.8 or above