FortiOS & FortiProxy - Anti brute-force bypass in administrative interface

Summary

An improper restriction of excessive authentication attempts vulnerability [CWE-307] in FortiOS & FortiProxy administrative interface may allow an attacker with a valid user account to perform brute-force attacks on other user accounts via injecting valid login sessions.

Affected Products

FortiSwitchManager version 7.2.0 through 7.2.2
FortiSwitchManager version 7.0.0 through 7.0.2
FortiOS version 7.2.0 through 7.2.3
FortiOS version 7.0.0 through 7.0.10
FortiOS version 6.4.0 through 6.4.12
FortiOS 6.2 all versions
FortiProxy version 7.2.0 through 7.2.1
FortiProxy version 7.0.0 through 7.0.7
FortiProxy 2.0 all versions
FortiProxy 1.2 all versions
FortiProxy 1.1 all versions
FortiProxy 1.0 all versions

Solutions

Please upgrade to FortiProxy version 7.2.2 or above.
Please upgrade to FortiProxy version 7.0.8 or above.
Please upgrade to FortiOS version 7.2.4 or above.
Please upgrade to FortiOS version 7.0.11 or above.
Please upgrade to FortiOS version 6.4.13 or above.

Acknowledgement

Internally discovered and reported by Goutham Rukmasah from Fortinet's FortiGuard Labs .

Timeline

2023-03-21: Initial publication