Improper input validation in custom dataset

Summary

An improper input validation vulnerability [CWE-20] in FortiAnalyzer & FortiManager may allow an authenticated attacker to disclose file system information via custom dataset SQL queries.

Workaround:

If enabled, disabled the FortiAnalyzer features option in FortiManager via:

config system global
set faz-status disable
end

FortiManager 100C is not impacted due to the absence of FortiAnalyzer features option.

Affected Products

At least
FortiManager version 7.2.0 through 7.2.1
FortiManager version 7.0.0 through 7.0.6
FortiManager version 6.4.0 through 6.4.11
FortiManager 6.2 all versions
FortiManager 6.0 all versions
At least
FortiAnalyzer version 7.4.0 through 7.4.1
FortiAnalyzer version 7.2.0 through 7.2.3
FortiAnalyzer version 7.0.0 through 7.0.8
FortiAnalyzer version 6.4.0 through 6.4.12
FortiAnalyzer version 6.2.0 through 6.2.11
FortiAnalyzer version 6.0.1 through 6.0.12

Solutions

Please upgrade to upcoming FortiAnalyzer version 7.4.2 or above
Please upgrade to FortiAnalyzer version 7.2.4 or above
Please upgrade to FortiAnalyzer version 7.0.9 or above
Please upgrade to FortiAnalyzer version 6.4.13 or above
Please upgrade to FortiAnalyzer version 6.2.12 or above

Please upgrade to upcoming FortiManager version 7.4.2 or above

Please upgrade to FortiManager version 7.2.4 or above
Please upgrade to FortiManager version 7.0.9 or above
Please upgrade to FortiManager version 6.4.13 or above

Please upgrade to FortiManager version 6.2.12 or above

Acknowledgement

Fortinet is pleased to thank Darmin Blazevic (Fujitsu Services GmbH) for bringing this issue to our attention under responsible disclosure.

Timeline

2023-04-11: Initial publication