FortiOS & FortiProxy - Anti brute-force bypass in administrative interface
Summary
An improper restriction of excessive authentication attempts vulnerability [CWE-307] in FortiOS & FortiProxy administrative interface may allow an attacker with a valid user account to perform brute-force attacks on other user accounts via injecting valid login sessions.
Affected Products
FortiSwitchManager version 7.2.0 through 7.2.2
FortiSwitchManager version 7.0.0 through 7.0.2
FortiOS version 7.2.0 through 7.2.3
FortiOS version 7.0.0 through 7.0.10
FortiOS version 6.4.0 through 6.4.12
FortiOS 6.2 all versions
FortiProxy version 7.2.0 through 7.2.1
FortiProxy version 7.0.0 through 7.0.7
FortiProxy 2.0 all versions
FortiProxy 1.2 all versions
FortiProxy 1.1 all versions
FortiProxy 1.0 all versions
Solutions
Please upgrade to FortiProxy version 7.2.2 or above.
Please upgrade to FortiProxy version 7.0.8 or above.
Please upgrade to FortiOS version 7.2.4 or above.
Please upgrade to FortiOS version 7.0.11 or above.
Please upgrade to FortiOS version 6.4.13 or above.
Acknowledgement
Internally discovered and reported by Goutham Rukmasah from Fortinet's FortiGuard Labs .Timeline
2023-03-21: Initial publication